Dependency-Check is an open source tool performing a best effort analysis of 3rd party dependencies; false positives and false negatives may exist in the analysis performed by the tool. Use of the tool and the reporting provided constitutes acceptance for use in an AS IS condition, and there are NO warranties, implied or otherwise, with regard to the analysis or its use. Any use of the tool and the reporting provided is at the user’s risk. In no event shall the copyright holder or OWASP be held liable for any damages whatsoever arising out of or in connection with the use of this tool, the analysis performed, or the resulting report.

How to read the report | Suppressing false positives | Getting Help: github issues

 Sponsor

Project: root project 'calcite'

org.apache.calcite:calcite:1.27.0-SNAPSHOT

Scan Information (show all):

Summary

Display: Showing Vulnerable Dependencies (click to show all)

DependencyVulnerability IDsPackageHighest SeverityCVE CountConfidenceEvidence Count
HdrHistogram-2.1.11.jarpkg:maven/org.hdrhistogram/HdrHistogram@2.1.11 028
LatencyUtils-2.0.3.jarpkg:maven/org.latencyutils/LatencyUtils@2.0.3 018
RoaringBitmap-0.5.11.jarpkg:maven/org.roaringbitmap/RoaringBitmap@0.5.11 021
ST4-4.0.4.jarpkg:maven/org.antlr/ST4@4.0.4 022
Saxon-HE-9.9.1-6.jarpkg:maven/net.sf.saxon/Saxon-HE@9.9.1-6 016
accessors-smart-1.2.jarpkg:maven/net.minidev/accessors-smart@1.2 033
activation-1.1.1.jarpkg:maven/javax.activation/activation@1.1.1 021
activation-1.1.jarpkg:maven/javax.activation/activation@1.1 021
aggdesigner-algorithm-6.0.jarpkg:maven/net.hydromatic/aggdesigner-algorithm@6.0 024
airline-0.7.jarpkg:maven/io.airlift/airline@0.7 030
animal-sniffer-annotations-1.18.jarpkg:maven/org.codehaus.mojo/animal-sniffer-annotations@1.18 027
annotations-13.0.jarpkg:maven/org.jetbrains/annotations@13.0 026
annotations-2.0.3.jarpkg:maven/com.google.code.findbugs/annotations@2.0.3 016
ant-1.6.5.jarcpe:2.3:a:apache:ant:1.6.5:*:*:*:*:*:*:*pkg:maven/ant/ant@1.6.5MEDIUM1Low20
antlr-2.7.7.jarpkg:maven/antlr/antlr@2.7.7 08
antlr-runtime-3.4.jarpkg:maven/org.antlr/antlr-runtime@3.4 026
antlr-runtime-3.5.2.jarpkg:maven/org.antlr/antlr-runtime@3.5.2 027
antlr4-runtime-4.7.2.jarpkg:maven/org.antlr/antlr4-runtime@4.7.2 037
aopalliance-1.0.jarpkg:maven/aopalliance/aopalliance@1.0 010
aopalliance-repackaged-2.4.0-b34.jarpkg:maven/org.glassfish.hk2.external/aopalliance-repackaged@2.4.0-b34 023
apacheds-i18n-2.0.0-M15.jarcpe:2.3:a:i18n_project:i18n:2.0.0:m15:*:*:*:*:*:*pkg:maven/org.apache.directory.server/apacheds-i18n@2.0.0-M15HIGH1Highest30
apacheds-kerberos-codec-2.0.0-M15.jarpkg:maven/org.apache.directory.server/apacheds-kerberos-codec@2.0.0-M15 030
api-asn1-api-1.0.0-M20.jarpkg:maven/org.apache.directory.api/api-asn1-api@1.0.0-M20 030
api-util-1.0.0-M20.jarcpe:2.3:a:apache:directory_ldap_api:1.0.0:m20:*:*:*:*:*:*pkg:maven/org.apache.directory.api/api-util@1.0.0-M20CRITICAL1Low29
apiguardian-api-1.1.0.jarpkg:maven/org.apiguardian/apiguardian-api@1.1.0 021
asm-3.1.jarpkg:maven/asm/asm@3.1 012
asm-5.0.3.jarpkg:maven/org.ow2.asm/asm@5.0.3 022
asm-7.2.jarpkg:maven/org.ow2.asm/asm@7.2 021
asm-analysis-7.2.jarpkg:maven/org.ow2.asm/asm-analysis@7.2 030
asm-commons-7.2.jarpkg:maven/org.ow2.asm/asm-commons@7.2 027
asm-tree-7.2.jarpkg:maven/org.ow2.asm/asm-tree@7.2 027
asm-util-7.2.jarpkg:maven/org.ow2.asm/asm-util@7.2 027
automaton-1.11-8.jarpkg:maven/dk.brics.automaton/automaton@1.11-8 012
avatica-core-1.17.0.jarcpe:2.3:a:apache:calcite:1.17.0:*:*:*:*:*:*:*pkg:maven/org.apache.calcite.avatica/avatica-core@1.17.0MEDIUM1Highest22
avatica-metrics-1.17.0.jarcpe:2.3:a:apache:calcite:1.17.0:*:*:*:*:*:*:*pkg:maven/org.apache.calcite.avatica/avatica-metrics@1.17.0MEDIUM1Highest23
avatica-server-1.17.0.jarcpe:2.3:a:apache:calcite:1.17.0:*:*:*:*:*:*:*pkg:maven/org.apache.calcite.avatica/avatica-server@1.17.0MEDIUM1Highest23
avro-1.7.4.jarcpe:2.3:a:apache:avro:1.7.4:*:*:*:*:*:*:*pkg:maven/org.apache.avro/avro@1.7.4 0Highest29
avro-1.7.7.jarcpe:2.3:a:apache:avro:1.7.7:*:*:*:*:*:*:*pkg:maven/org.apache.avro/avro@1.7.7 0Highest35
avro-ipc-1.7.7-tests.jarcpe:2.3:a:apache:avro:1.7.7:*:*:*:*:*:*:*pkg:maven/org.apache.avro/avro-ipc@1.7.7 0Highest31
avro-ipc-1.7.7.jarcpe:2.3:a:apache:avro:1.7.7:*:*:*:*:*:*:*pkg:maven/org.apache.avro/avro-ipc@1.7.7 0Highest37
avro-mapred-1.7.7-hadoop2.jarcpe:2.3:a:apache:avro:1.7.7:*:*:*:*:*:*:*pkg:maven/org.apache.avro/avro-mapred@1.7.7 0Highest31
backport-util-concurrent-3.1.jarpkg:maven/backport-util-concurrent/backport-util-concurrent@3.1 013
base64-2.3.8.jarpkg:maven/net.iharder/base64@2.3.8 024
bcprov-jdk15on-1.60.jarcpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle:1.60.0:*:*:*:*:*:*:*
cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.60.0:*:*:*:*:*:*:*
pkg:maven/org.bouncycastle/bcprov-jdk15on@1.60MEDIUM1Highest38
bsh-2.0b4.jarcpe:2.3:a:beanshell:beanshell:2.0.b4:*:*:*:*:*:*:*pkg:maven/org.beanshell/bsh@2.0b4HIGH1Low14
calcite-babel-1.27.0-SNAPSHOT.jarcpe:2.3:a:apache:calcite:1.27.0:snapshot:*:*:*:*:*:*pkg:maven/org.apache.calcite/babel@1.27.0-SNAPSHOT 0Highest21
calcite-cassandra-1.27.0-SNAPSHOT.jarcpe:2.3:a:apache:calcite:1.27.0:snapshot:*:*:*:*:*:*
cpe:2.3:a:apache:cassandra:1.27.0:snapshot:*:*:*:*:*:*
pkg:maven/org.apache.calcite/cassandra@1.27.0-SNAPSHOTMEDIUM1Highest21
calcite-core-1.27.0-SNAPSHOT.jarcpe:2.3:a:apache:calcite:1.27.0:snapshot:*:*:*:*:*:*pkg:maven/org.apache.calcite/core@1.27.0-SNAPSHOT 0Highest18
calcite-druid-1.27.0-SNAPSHOT.jarcpe:2.3:a:apache:calcite:1.27.0:snapshot:*:*:*:*:*:*
cpe:2.3:a:apache:druid:1.27.0:snapshot:*:*:*:*:*:*
pkg:maven/org.apache.calcite/druid@1.27.0-SNAPSHOT 0Highest21
calcite-elasticsearch-1.27.0-SNAPSHOT.jarcpe:2.3:a:apache:calcite:1.27.0:snapshot:*:*:*:*:*:*pkg:maven/org.apache.calcite/elasticsearch@1.27.0-SNAPSHOT 0Highest21
calcite-file-1.27.0-SNAPSHOT.jarcpe:2.3:a:apache:calcite:1.27.0:snapshot:*:*:*:*:*:*pkg:maven/org.apache.calcite/file@1.27.0-SNAPSHOT 0Highest21
calcite-geode-1.27.0-SNAPSHOT.jarcpe:2.3:a:apache:calcite:1.27.0:snapshot:*:*:*:*:*:*
cpe:2.3:a:apache:geode:1.27.0:snapshot:*:*:*:*:*:*
pkg:maven/org.apache.calcite/geode@1.27.0-SNAPSHOT 0Highest21
calcite-innodb-1.27.0-SNAPSHOT.jarcpe:2.3:a:apache:calcite:1.27.0:snapshot:*:*:*:*:*:*pkg:maven/org.apache.calcite/innodb@1.27.0-SNAPSHOT 0Highest21
calcite-kafka-1.27.0-SNAPSHOT.jarcpe:2.3:a:apache:calcite:1.27.0:snapshot:*:*:*:*:*:*
cpe:2.3:a:apache:kafka:1.27.0:snapshot:*:*:*:*:*:*
pkg:maven/org.apache.calcite/kafka@1.27.0-SNAPSHOTHIGH1Highest21
calcite-linq4j-1.27.0-SNAPSHOT.jarcpe:2.3:a:apache:calcite:1.27.0:snapshot:*:*:*:*:*:*pkg:maven/org.apache.calcite/linq4j@1.27.0-SNAPSHOT 0Highest20
calcite-mongodb-1.27.0-SNAPSHOT.jarcpe:2.3:a:apache:calcite:1.27.0:snapshot:*:*:*:*:*:*pkg:maven/org.apache.calcite/mongodb@1.27.0-SNAPSHOT 0Highest21
calcite-pig-1.27.0-SNAPSHOT.jarcpe:2.3:a:apache:calcite:1.27.0:snapshot:*:*:*:*:*:*pkg:maven/org.apache.calcite/pig@1.27.0-SNAPSHOT 0Highest21
calcite-piglet-1.27.0-SNAPSHOT.jarcpe:2.3:a:apache:calcite:1.27.0:snapshot:*:*:*:*:*:*pkg:maven/org.apache.calcite/piglet@1.27.0-SNAPSHOT 0Highest20
calcite-plus-1.27.0-SNAPSHOT.jarcpe:2.3:a:apache:calcite:1.27.0:snapshot:*:*:*:*:*:*pkg:maven/org.apache.calcite/plus@1.27.0-SNAPSHOT 0Highest21
calcite-redis-1.27.0-SNAPSHOT.jarcpe:2.3:a:apache:calcite:1.27.0:snapshot:*:*:*:*:*:*pkg:maven/org.apache.calcite/redis@1.27.0-SNAPSHOT 0Highest21
calcite-spark-1.27.0-SNAPSHOT.jarcpe:2.3:a:apache:calcite:1.27.0:snapshot:*:*:*:*:*:*
cpe:2.3:a:apache:spark:1.27.0:snapshot:*:*:*:*:*:*
pkg:maven/org.apache.calcite/spark@1.27.0-SNAPSHOTCRITICAL6Highest21
calcite-splunk-1.27.0-SNAPSHOT.jarcpe:2.3:a:apache:calcite:1.27.0:snapshot:*:*:*:*:*:*pkg:maven/org.apache.calcite/splunk@1.27.0-SNAPSHOT 0Highest21
cassandra-driver-core-3.6.0.jarcpe:2.3:a:apache:cassandra:3.6.0:*:*:*:*:*:*:*pkg:maven/com.datastax.cassandra/cassandra-driver-core@3.6.0 0High29
cglib-2.2.1-v20090111.jarpkg:maven/org.sonatype.sisu.inject/cglib@2.2.1-v20090111 012
checker-qual-2.8.1.jarpkg:maven/org.checkerframework/checker-qual@2.8.1 025
checker-qual-3.10.0.jarpkg:maven/org.checkerframework/checker-qual@3.10.0 025
checkstyle-8.28.jarcpe:2.3:a:checkstyle:checkstyle:8.28:*:*:*:*:*:*:*pkg:maven/com.puppycrawl.tools/checkstyle@8.28MEDIUM1Highest26
chill-java-0.8.0.jarpkg:maven/com.twitter/chill-java@0.8.0 017
chill_2.10-0.8.0.jarpkg:maven/com.twitter/chill_2.10@0.8.0 016
chinook-data-hsqldb-0.1.jarpkg:maven/net.hydromatic/chinook-data-hsqldb@0.1 035
classgraph-4.0.6.jarpkg:maven/io.github.classgraph/classgraph@4.0.6 037
commons-beanutils-1.7.0.jarcpe:2.3:a:apache:commons_beanutils:1.7.0:*:*:*:*:*:*:*pkg:maven/commons-beanutils/commons-beanutils@1.7.0HIGH2Low25
commons-beanutils-1.9.3.jarcpe:2.3:a:apache:commons_beanutils:1.9.3:*:*:*:*:*:*:*pkg:maven/commons-beanutils/commons-beanutils@1.9.3HIGH1Highest44
commons-beanutils-1.9.4.jarcpe:2.3:a:apache:commons_beanutils:1.9.4:*:*:*:*:*:*:*pkg:maven/commons-beanutils/commons-beanutils@1.9.4 0Highest44
commons-beanutils-core-1.8.0.jarcpe:2.3:a:apache:commons_beanutils:1.8.0:*:*:*:*:*:*:*pkg:maven/commons-beanutils/commons-beanutils-core@1.8.0HIGH2Highest19
commons-cli-1.2.jarpkg:maven/commons-cli/commons-cli@1.2 038
commons-codec-1.12.jarpkg:maven/commons-codec/commons-codec@1.12 045
commons-collections-3.2.2.jarcpe:2.3:a:apache:commons_collections:3.2.2:*:*:*:*:*:*:*pkg:maven/commons-collections/commons-collections@3.2.2 0Highest44
commons-compiler-3.0.11.jarpkg:maven/org.codehaus.janino/commons-compiler@3.0.11 037
commons-compress-1.4.1.jarcpe:2.3:a:apache:commons-compress:1.4.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:commons_compress:1.4.1:*:*:*:*:*:*:*
pkg:maven/org.apache.commons/commons-compress@1.4.1 0Highest42
commons-configuration-1.6.jarcpe:2.3:a:apache:commons_configuration:1.6:*:*:*:*:*:*:*pkg:maven/commons-configuration/commons-configuration@1.6 0Highest38
commons-crypto-1.0.0.jarpkg:maven/org.apache.commons/commons-crypto@1.0.0 048
commons-crypto-1.0.0.jar: commons-crypto.dll 02
commons-crypto-1.0.0.jar: commons-crypto.dll 02
commons-dbcp2-2.6.0.jarpkg:maven/org.apache.commons/commons-dbcp2@2.6.0 044
commons-digester-1.8.1.jarpkg:maven/commons-digester/commons-digester@1.8.1 040
commons-digester-1.8.jarpkg:maven/commons-digester/commons-digester@1.8 025
commons-el-1.0.jarpkg:maven/commons-el/commons-el@1.0 023
commons-httpclient-3.1.jarcpe:2.3:a:apache:commons-httpclient:3.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:httpclient:3.1:*:*:*:*:*:*:*
pkg:maven/commons-httpclient/commons-httpclient@3.1MEDIUM2Highest21
commons-io-2.4.jarcpe:2.3:a:apache:commons_io:2.4:*:*:*:*:*:*:*pkg:maven/commons-io/commons-io@2.4MEDIUM1Highest39
commons-io-2.6.jarcpe:2.3:a:apache:commons_io:2.6:*:*:*:*:*:*:*pkg:maven/commons-io/commons-io@2.6MEDIUM1Highest43
commons-lang-2.4.jarpkg:maven/commons-lang/commons-lang@2.4 038
commons-lang-2.6.jarpkg:maven/commons-lang/commons-lang@2.6 038
commons-lang3-3.8.1.jarpkg:maven/org.apache.commons/commons-lang3@3.8.1 044
commons-lang3-3.8.jarpkg:maven/org.apache.commons/commons-lang3@3.8 043
commons-logging-1.1.1.jarpkg:maven/commons-logging/commons-logging@1.1.1 034
commons-logging-1.2.jarpkg:maven/commons-logging/commons-logging@1.2 039
commons-math3-3.1.1.jarpkg:maven/org.apache.commons/commons-math3@3.1.1 040
commons-math3-3.2.jarpkg:maven/org.apache.commons/commons-math3@3.2 039
commons-math3-3.4.1.jarpkg:maven/org.apache.commons/commons-math3@3.4.1 040
commons-net-1.4.1.jarpkg:maven/commons-net/commons-net@1.4.1 023
commons-net-3.1.jarpkg:maven/commons-net/commons-net@3.1 055
commons-pool2-2.6.1.jarpkg:maven/org.apache.commons/commons-pool2@2.6.1 044
commons-pool2-2.6.2.jarpkg:maven/org.apache.commons/commons-pool2@2.6.2 044
commons-validator-1.6.jarpkg:maven/commons-validator/commons-validator@1.6 043
compress-lzf-1.0.3.jarpkg:maven/com.ning/compress-lzf@1.0.3 027
core-3.1.1.jarpkg:maven/org.eclipse.jdt/core@3.1.1 031
core-3.1.1.jar: jdtCompilerAdapter.jar 07
curator-client-2.7.1.jarpkg:maven/org.apache.curator/curator-client@2.7.1 027
curator-framework-2.7.1.jarpkg:maven/org.apache.curator/curator-framework@2.7.1 031
curator-recipes-2.7.1.jarpkg:maven/org.apache.curator/curator-recipes@2.7.1 029
elasticsearch-rest-client-7.0.1.jarcpe:2.3:a:elasticsearch:elasticsearch:7.0.1:*:*:*:*:*:*:*pkg:maven/org.elasticsearch.client/elasticsearch-rest-client@7.0.1 0Highest28
error_prone_annotations-2.3.2.jarpkg:maven/com.google.errorprone/error_prone_annotations@2.3.2 028
error_prone_annotations-2.5.1.jarpkg:maven/com.google.errorprone/error_prone_annotations@2.5.1 025
esri-geometry-api-2.2.0.jarpkg:maven/com.esri.geometry/esri-geometry-api@2.2.0 024
failureaccess-1.0.1.jarpkg:maven/com.google.guava/failureaccess@1.0.1 034
fastutil-8.2.2.jarpkg:maven/it.unimi.dsi/fastutil@8.2.2 029
findbugs-annotations-1.3.9-1.jarpkg:maven/com.github.stephenc.findbugs/findbugs-annotations@1.3.9-1 022
fmpp-0.9.16.jarpkg:maven/net.sourceforge.fmpp/fmpp@0.9.16 015
foodmart-data-hsqldb-0.3.jarpkg:maven/net.hydromatic/foodmart-data-hsqldb@0.3 036
freemarker-2.3.29.jarpkg:maven/org.freemarker/freemarker@2.3.29 020
geode-common-1.10.0.jarcpe:2.3:a:apache:geode:1.10.0:*:*:*:*:*:*:*pkg:maven/org.apache.geode/geode-common@1.10.0 0Low20
geode-core-1.10.0.jarcpe:2.3:a:apache:geode:1.10.0:*:*:*:*:*:*:*pkg:maven/org.apache.geode/geode-core@1.10.0 0Low24
geode-management-1.10.0.jarcpe:2.3:a:apache:geode:1.10.0:*:*:*:*:*:*:*pkg:maven/org.apache.geode/geode-management@1.10.0 0Low20
groovy-all-1.8.6.jarpkg:maven/org.codehaus.groovy/groovy-all@1.8.6CRITICAL230
gson-2.2.4.jarpkg:maven/com.google.code.gson/gson@2.2.4 026
guava-28.1-jre.jarcpe:2.3:a:google:guava:28.1:*:*:*:*:*:*:*pkg:maven/com.google.guava/guava@28.1-jreLOW1Highest29
guava-29.0-jre.jarcpe:2.3:a:google:guava:29.0:*:*:*:*:*:*:*pkg:maven/com.google.guava/guava@29.0-jreLOW1Highest29
guice-3.0.jarpkg:maven/com.google.inject/guice@3.0 031
hadoop-annotations-2.7.5.jarcpe:2.3:a:apache:hadoop:2.7.5:*:*:*:*:*:*:*pkg:maven/org.apache.hadoop/hadoop-annotations@2.7.5HIGH8Highest26
hadoop-auth-2.7.5.jarcpe:2.3:a:apache:hadoop:2.7.5:*:*:*:*:*:*:*pkg:maven/org.apache.hadoop/hadoop-auth@2.7.5HIGH8Highest27
hadoop-client-2.7.5.jarcpe:2.3:a:apache:hadoop:2.7.5:*:*:*:*:*:*:*pkg:maven/org.apache.hadoop/hadoop-client@2.7.5HIGH8Highest17
hadoop-common-2.7.5.jarcpe:2.3:a:apache:hadoop:2.7.5:*:*:*:*:*:*:*pkg:maven/org.apache.hadoop/hadoop-common@2.7.5HIGH8Highest24
hadoop-hdfs-2.7.5.jarcpe:2.3:a:apache:hadoop:2.7.5:*:*:*:*:*:*:*pkg:maven/org.apache.hadoop/hadoop-hdfs@2.7.5HIGH8Highest28
hadoop-mapreduce-client-app-2.7.5.jarcpe:2.3:a:apache:hadoop:2.7.5:*:*:*:*:*:*:*pkg:maven/org.apache.hadoop/hadoop-mapreduce-client-app@2.7.5HIGH8Highest29
hadoop-mapreduce-client-common-2.7.5.jarcpe:2.3:a:apache:hadoop:2.7.5:*:*:*:*:*:*:*pkg:maven/org.apache.hadoop/hadoop-mapreduce-client-common@2.7.5HIGH8Highest29
hadoop-mapreduce-client-core-2.7.5.jarcpe:2.3:a:apache:hadoop:2.7.5:*:*:*:*:*:*:*pkg:maven/org.apache.hadoop/hadoop-mapreduce-client-core@2.7.5HIGH8Highest28
hadoop-mapreduce-client-jobclient-2.7.5.jarcpe:2.3:a:apache:hadoop:2.7.5:*:*:*:*:*:*:*pkg:maven/org.apache.hadoop/hadoop-mapreduce-client-jobclient@2.7.5HIGH8Highest26
hadoop-mapreduce-client-shuffle-2.7.5.jarcpe:2.3:a:apache:hadoop:2.7.5:*:*:*:*:*:*:*pkg:maven/org.apache.hadoop/hadoop-mapreduce-client-shuffle@2.7.5HIGH8Highest26
hadoop-yarn-api-2.7.5.jarcpe:2.3:a:apache:hadoop:2.7.5:*:*:*:*:*:*:*pkg:maven/org.apache.hadoop/hadoop-yarn-api@2.7.5HIGH8Highest31
hadoop-yarn-client-2.7.5.jarcpe:2.3:a:apache:hadoop:2.7.5:*:*:*:*:*:*:*pkg:maven/org.apache.hadoop/hadoop-yarn-client@2.7.5HIGH8Highest31
hadoop-yarn-common-2.7.5.jarcpe:2.3:a:apache:hadoop:2.7.5:*:*:*:*:*:*:*pkg:maven/org.apache.hadoop/hadoop-yarn-common@2.7.5HIGH8Highest28
hadoop-yarn-common-2.7.5.jar: jquery-1.8.2.min.js.gz: jquery-1.8.2.min.jspkg:javascript/jquery@1.8.2.minMEDIUM53
hadoop-yarn-common-2.7.5.jar: jquery-ui-1.9.1.custom.min.js.gz: jquery-ui-1.9.1.custom.min.jspkg:javascript/jquery-ui-dialog@1.9.1MEDIUM23
hadoop-yarn-common-2.7.5.jar: jquery.dataTables.min.js.gz: jquery.dataTables.min.js 00
hadoop-yarn-common-2.7.5.jar: jquery.jstree.js.gz: jquery.jstree.js 00
hadoop-yarn-common-2.7.5.jar: natural.js 00
hadoop-yarn-common-2.7.5.jar: yarn.dt.plugins.js 00
hadoop-yarn-server-common-2.7.5.jarcpe:2.3:a:apache:hadoop:2.7.5:*:*:*:*:*:*:*pkg:maven/org.apache.hadoop/hadoop-yarn-server-common@2.7.5HIGH8Highest31
hadoop-yarn-server-nodemanager-2.7.5.jarcpe:2.3:a:apache:hadoop:2.7.5:*:*:*:*:*:*:*pkg:maven/org.apache.hadoop/hadoop-yarn-server-nodemanager@2.7.5HIGH8Highest31
hamcrest-2.1.jarpkg:maven/org.hamcrest/hamcrest@2.1 018
hamcrest-core-2.1.jarpkg:maven/org.hamcrest/hamcrest-core@2.1 014
hk2-api-2.4.0-b34.jarpkg:maven/org.glassfish.hk2/hk2-api@2.4.0-b34 027
hk2-locator-2.4.0-b34.jarpkg:maven/org.glassfish.hk2/hk2-locator@2.4.0-b34 023
hk2-utils-2.4.0-b34.jarcpe:2.3:a:oracle:utilities_framework:2.4.0.b34:*:*:*:*:*:*:*pkg:maven/org.glassfish.hk2/hk2-utils@2.4.0-b34 0Low31
hk2-utils-2.4.0-b34.jar (shaded: org.jvnet:tiger-types:1.4)pkg:maven/org.jvnet/tiger-types@1.4 012
hsqldb-1.8.0.10.jarpkg:maven/hsqldb/hsqldb@1.8.0.10 014
hsqldb-2.4.1.jarcpe:2.3:a:oracle:database:2.4.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:oracle_database:2.4.1:*:*:*:*:*:*:*
pkg:maven/org.hsqldb/hsqldb@2.4.1 0Low21
htrace-core-3.1.0-incubating.jarpkg:maven/org.apache.htrace/htrace-core@3.1.0-incubating 028
htrace-core-3.1.0-incubating.jar (shaded: com.fasterxml.jackson.core:jackson-annotations:2.4.0)cpe:2.3:a:fasterxml:jackson-modules-java8:2.4.0:*:*:*:*:*:*:*pkg:maven/com.fasterxml.jackson.core/jackson-annotations@2.4.0MEDIUM1Low16
htrace-core-3.1.0-incubating.jar (shaded: com.fasterxml.jackson.core:jackson-core:2.4.0)cpe:2.3:a:fasterxml:jackson-modules-java8:2.4.0:*:*:*:*:*:*:*pkg:maven/com.fasterxml.jackson.core/jackson-core@2.4.0MEDIUM1Low16
htrace-core-3.1.0-incubating.jar (shaded: com.fasterxml.jackson.core:jackson-databind:2.4.0)cpe:2.3:a:fasterxml:jackson-databind:2.4.0:*:*:*:*:*:*:*
cpe:2.3:a:fasterxml:jackson-modules-java8:2.4.0:*:*:*:*:*:*:*
pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.4.0CRITICAL19Highest16
httpasyncclient-4.1.4.jarcpe:2.3:a:apache:httpasyncclient:4.1.4:*:*:*:*:*:*:*pkg:maven/org.apache.httpcomponents/httpasyncclient@4.1.4 0Highest29
httpclient-4.5.9.jarcpe:2.3:a:apache:httpclient:4.5.9:*:*:*:*:*:*:*pkg:maven/org.apache.httpcomponents/httpclient@4.5.9MEDIUM1Highest36
httpcore-4.4.11.jarpkg:maven/org.apache.httpcomponents/httpcore@4.4.11 036
httpcore-nio-4.4.11.jarpkg:maven/org.apache.httpcomponents/httpcore-nio@4.4.11 034
ical4j-1.0.2.jarpkg:maven/org.mnode.ical4j/ical4j@1.0.2 028
imageinfo-1.9.jarpkg:maven/org.devlib.schmidt/imageinfo@1.9 026
innodb-java-reader-1.0.10.jarcpe:2.3:a:alibaba:alibaba:1.0.10:*:*:*:*:*:*:*pkg:maven/com.alibaba.database/innodb-java-reader@1.0.10 0Highest31
istack-commons-runtime-2.2.jarpkg:maven/com.sun.istack/istack-commons-runtime@2.2 026
ivy-2.2.0.jarcpe:2.3:a:apache:ant:2.2.0:*:*:*:*:*:*:*pkg:maven/org.apache.ivy/ivy@2.2.0 0Highest26
ivy-2.4.0.jarcpe:2.3:a:apache:ant:2.4.0:*:*:*:*:*:*:*pkg:maven/org.apache.ivy/ivy@2.4.0 0Highest28
j2objc-annotations-1.3.jarpkg:maven/com.google.j2objc/j2objc-annotations@1.3 026
jackson-annotations-2.10.0.jarcpe:2.3:a:fasterxml:jackson-modules-java8:2.10.0:*:*:*:*:*:*:*pkg:maven/com.fasterxml.jackson.core/jackson-annotations@2.10.0 0Low42
jackson-core-2.10.0.jarcpe:2.3:a:fasterxml:jackson-modules-java8:2.10.0:*:*:*:*:*:*:*pkg:maven/com.fasterxml.jackson.core/jackson-core@2.10.0 0Low49
jackson-core-asl-1.8.8.jarpkg:maven/org.codehaus.jackson/jackson-core-asl@1.8.8 020
jackson-core-asl-1.9.11.jarpkg:maven/org.codehaus.jackson/jackson-core-asl@1.9.11 020
jackson-core-asl-1.9.13.jarpkg:maven/org.codehaus.jackson/jackson-core-asl@1.9.13 020
jackson-databind-2.10.0.jarcpe:2.3:a:fasterxml:jackson-databind:2.10.0:*:*:*:*:*:*:*pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.10.0HIGH1Highest43
jackson-dataformat-yaml-2.10.0.jarcpe:2.3:a:fasterxml:jackson-dataformat-xml:2.10.0:*:*:*:*:*:*:*pkg:maven/com.fasterxml.jackson.dataformat/jackson-dataformat-yaml@2.10.0 0Highest43
jackson-jaxrs-1.8.3.jarcpe:2.3:a:fasterxml:jackson-databind:1.8.3:*:*:*:*:*:*:*pkg:maven/org.codehaus.jackson/jackson-jaxrs@1.8.3CRITICAL1High22
jackson-jaxrs-1.9.13.jarcpe:2.3:a:fasterxml:jackson-databind:1.9.13:*:*:*:*:*:*:*pkg:maven/org.codehaus.jackson/jackson-jaxrs@1.9.13CRITICAL1High22
jackson-mapper-asl-1.8.8.jarcpe:2.3:a:fasterxml:jackson-mapper-asl:1.8.8:*:*:*:*:*:*:*pkg:maven/org.codehaus.jackson/jackson-mapper-asl@1.8.8CRITICAL11High20
jackson-mapper-asl-1.9.11.jarcpe:2.3:a:fasterxml:jackson-mapper-asl:1.9.11:*:*:*:*:*:*:*pkg:maven/org.codehaus.jackson/jackson-mapper-asl@1.9.11CRITICAL12High20
jackson-mapper-asl-1.9.13.jarcpe:2.3:a:fasterxml:jackson-mapper-asl:1.9.13:*:*:*:*:*:*:*pkg:maven/org.codehaus.jackson/jackson-mapper-asl@1.9.13CRITICAL12High20
jackson-module-paranamer-2.10.0.jarpkg:maven/com.fasterxml.jackson.module/jackson-module-paranamer@2.10.0 043
jackson-module-scala_2.10-2.10.0.jarpkg:maven/com.fasterxml.jackson.module/jackson-module-scala_2.10@2.10.0 023
jackson-xc-1.8.3.jarcpe:2.3:a:fasterxml:jackson-databind:1.8.3:*:*:*:*:*:*:*pkg:maven/org.codehaus.jackson/jackson-xc@1.8.3CRITICAL1High22
jackson-xc-1.9.13.jarcpe:2.3:a:fasterxml:jackson-databind:1.9.13:*:*:*:*:*:*:*pkg:maven/org.codehaus.jackson/jackson-xc@1.9.13CRITICAL1High22
jandex-2.2.3.Final.jarpkg:maven/org.jboss/jandex@2.2.3.Final 047
janino-3.0.11.jarpkg:maven/org.codehaus.janino/janino@3.0.11 034
jansi-2.1.0.jarpkg:maven/org.fusesource.jansi/jansi@2.1.0 040
jansi-2.1.0.jar: jansi.dll 02
jansi-2.1.0.jar: jansi.dll 02
jasper-compiler-5.5.12.jarpkg:maven/tomcat/jasper-compiler@5.5.12 012
jasper-runtime-5.5.12.jarpkg:maven/tomcat/jasper-runtime@5.5.12 012
java-xmlbuilder-0.4.jarpkg:maven/com.jamesmurty.utils/java-xmlbuilder@0.4 026
java-xmlbuilder-1.0.jarpkg:maven/com.jamesmurty.utils/java-xmlbuilder@1.0 024
javacc-4.0.jarpkg:maven/net.java.dev.javacc/javacc@4.0 08
javassist-3.18.1-GA.jarpkg:maven/org.javassist/javassist@3.18.1-GA 023
javax.activation-1.2.0.jarpkg:maven/com.sun.activation/javax.activation@1.2.0 044
javax.activation-api-1.2.0.jarpkg:maven/javax.activation/javax.activation-api@1.2.0 041
javax.annotation-api-1.2.jarpkg:maven/javax.annotation/javax.annotation-api@1.2 040
javax.inject-1.jarpkg:maven/javax.inject/javax.inject@1 010
javax.inject-2.4.0-b34.jarpkg:maven/org.glassfish.hk2.external/javax.inject@2.4.0-b34 025
javax.resource-api-1.7.1.jarpkg:maven/javax.resource/javax.resource-api@1.7.1 042
javax.servlet-api-4.0.1.jarpkg:maven/javax.servlet/javax.servlet-api@4.0.1 039
javax.transaction-api-1.3.jarpkg:maven/javax.transaction/javax.transaction-api@1.3 042
javax.ws.rs-api-2.0.1.jarcpe:2.3:a:oracle:web_services:2.0.1:*:*:*:*:*:*:*pkg:maven/javax.ws.rs/javax.ws.rs-api@2.0.1 0Low44
jaxb-api-2.2.2.jarpkg:maven/javax.xml.bind/jaxb-api@2.2.2 023
jaxb-api-2.3.1.jarpkg:maven/javax.xml.bind/jaxb-api@2.3.1 039
jaxb-impl-2.2.3-1.jarpkg:maven/com.sun.xml.bind/jaxb-impl@2.2.3-1 031
jaxb-impl-2.3.1.jarpkg:maven/com.sun.xml.bind/jaxb-impl@2.3.1 043
jaxb-impl-2.3.1.jar (shaded: org.glassfish.jaxb:jaxb-runtime:2.3.1)pkg:maven/org.glassfish.jaxb/jaxb-runtime@2.3.1 011
jcl-over-slf4j-1.7.16.jarpkg:maven/org.slf4j/jcl-over-slf4j@1.7.16 027
jedis-3.3.0.jarpkg:maven/redis.clients/jedis@3.3.0 029
jersey-client-2.22.2.jarcpe:2.3:a:jersey_project:jersey:2.22.2:*:*:*:*:*:*:*pkg:maven/org.glassfish.jersey.core/jersey-client@2.22.2 0Highest29
jersey-common-2.22.2.jarcpe:2.3:a:jersey_project:jersey:2.22.2:*:*:*:*:*:*:*pkg:maven/org.glassfish.jersey.core/jersey-common@2.22.2 0Highest27
jersey-container-servlet-2.22.2.jarcpe:2.3:a:jersey_project:jersey:2.22.2:*:*:*:*:*:*:*pkg:maven/org.glassfish.jersey.containers/jersey-container-servlet@2.22.2 0Highest29
jersey-container-servlet-core-2.22.2.jarcpe:2.3:a:jersey_project:jersey:2.22.2:*:*:*:*:*:*:*pkg:maven/org.glassfish.jersey.containers/jersey-container-servlet-core@2.22.2 0Highest29
jersey-core-1.9.jarcpe:2.3:a:jersey_project:jersey:1.9:*:*:*:*:*:*:*pkg:maven/com.sun.jersey/jersey-core@1.9 0Highest34
jersey-guava-2.22.2.jarcpe:2.3:a:jersey_project:jersey:2.22.2:*:*:*:*:*:*:*pkg:maven/org.glassfish.jersey.bundles.repackaged/jersey-guava@2.22.2 0Highest28
jersey-json-1.9.jarcpe:2.3:a:jersey_project:jersey:1.9:*:*:*:*:*:*:*pkg:maven/com.sun.jersey/jersey-json@1.9 0Highest34
jersey-media-jaxb-2.22.2.jarcpe:2.3:a:jersey_project:jersey:2.22.2:*:*:*:*:*:*:*pkg:maven/org.glassfish.jersey.media/jersey-media-jaxb@2.22.2 0Highest29
jersey-server-1.9.jarcpe:2.3:a:jersey_project:jersey:1.9:*:*:*:*:*:*:*pkg:maven/com.sun.jersey/jersey-server@1.9 0Highest34
jersey-server-2.22.2.jarcpe:2.3:a:jersey_project:jersey:2.22.2:*:*:*:*:*:*:*pkg:maven/org.glassfish.jersey.core/jersey-server@2.22.2 0Highest31
jets3t-0.7.1.jarpkg:maven/net.java.dev.jets3t/jets3t@0.7.1 010
jets3t-0.9.0.jarpkg:maven/net.java.dev.jets3t/jets3t@0.9.0 010
jets3t-0.9.3.jarpkg:maven/net.java.dev.jets3t/jets3t@0.9.3 027
jettison-1.1.jarpkg:maven/org.codehaus.jettison/jettison@1.1 025
jetty-6.1.26.jarcpe:2.3:a:jetty:jetty:6.1.26:*:*:*:*:*:*:*
cpe:2.3:a:mortbay:jetty:6.1.26:*:*:*:*:*:*:*
cpe:2.3:a:mortbay_jetty:jetty:6.1.26:*:*:*:*:*:*:*
pkg:maven/org.mortbay.jetty/jetty@6.1.26CRITICAL9Highest38
jetty-http-9.4.15.v20190215.jarcpe:2.3:a:eclipse:jetty:9.4.15:20190215:*:*:*:*:*:*
cpe:2.3:a:jetty:jetty:9.4.15:20190215:*:*:*:*:*:*
cpe:2.3:a:mortbay_jetty:jetty:9.4.15:20190215:*:*:*:*:*:*
pkg:maven/org.eclipse.jetty/jetty-http@9.4.15.v20190215HIGH6Highest48
jetty-io-9.4.15.v20190215.jarcpe:2.3:a:mortbay_jetty:jetty:9.4.15:20190215:*:*:*:*:*:*pkg:maven/org.eclipse.jetty/jetty-io@9.4.15.v20190215HIGH1Highest45
jetty-security-9.4.15.v20190215.jarcpe:2.3:a:eclipse:jetty:9.4.15:20190215:*:*:*:*:*:*
cpe:2.3:a:jetty:jetty:9.4.15:20190215:*:*:*:*:*:*
cpe:2.3:a:mortbay_jetty:jetty:9.4.15:20190215:*:*:*:*:*:*
pkg:maven/org.eclipse.jetty/jetty-security@9.4.15.v20190215HIGH6Highest45
jetty-server-9.4.15.v20190215.jarcpe:2.3:a:eclipse:jetty:9.4.15:20190215:*:*:*:*:*:*
cpe:2.3:a:jetty:jetty:9.4.15:20190215:*:*:*:*:*:*
cpe:2.3:a:mortbay_jetty:jetty:9.4.15:20190215:*:*:*:*:*:*
pkg:maven/org.eclipse.jetty/jetty-server@9.4.15.v20190215HIGH6Highest45
jetty-sslengine-6.1.26.jarcpe:2.3:a:jetty:jetty:6.1.26:*:*:*:*:*:*:*
cpe:2.3:a:mortbay:jetty:6.1.26:*:*:*:*:*:*:*
cpe:2.3:a:mortbay_jetty:jetty:6.1.26:*:*:*:*:*:*:*
pkg:maven/org.mortbay.jetty/jetty-sslengine@6.1.26MEDIUM2Highest40
jetty-util-6.1.26.jarcpe:2.3:a:jetty:jetty:6.1.26:*:*:*:*:*:*:*
cpe:2.3:a:mortbay:jetty:6.1.26:*:*:*:*:*:*:*
cpe:2.3:a:mortbay_jetty:jetty:6.1.26:*:*:*:*:*:*:*
pkg:maven/org.mortbay.jetty/jetty-util@6.1.26MEDIUM2Highest36
jetty-util-9.4.15.v20190215.jarcpe:2.3:a:eclipse:jetty:9.4.15:20190215:*:*:*:*:*:*
cpe:2.3:a:jetty:jetty:9.4.15:20190215:*:*:*:*:*:*
cpe:2.3:a:mortbay_jetty:jetty:9.4.15:20190215:*:*:*:*:*:*
pkg:maven/org.eclipse.jetty/jetty-util@9.4.15.v20190215HIGH6Highest46
jffi-1.2.16-native.jarpkg:maven/com.github.jnr/jffi@1.2.16 011
jffi-1.2.16-native.jar: jffi-1.2.dll 04
jffi-1.2.16-native.jar: jffi-1.2.dll 04
jffi-1.2.16.jarpkg:maven/com.github.jnr/jffi@1.2.16 024
jgroups-3.6.14.Final.jarcpe:2.3:a:redhat:jgroups:3.6.14:*:*:*:*:*:*:*pkg:maven/org.jgroups/jgroups@3.6.14.FinalHIGH1High29
jline-0.9.94.jarpkg:maven/jline/jline@0.9.94 020
jline-0.9.94.jar: jline32.dll 04
jline-0.9.94.jar: jline64.dll 04
jline-1.0.jarpkg:maven/jline/jline@1.0 023
jline-2.12.jarpkg:maven/jline/jline@2.12 018
jline-2.12.jar: jansi.dll 02
jline-2.12.jar: jansi.dll 02
jline-builtins-3.18.0.jarpkg:maven/org.jline/jline-builtins@3.18.0 031
jline-console-3.18.0.jarpkg:maven/org.jline/jline-console@3.18.0 031
jline-reader-3.18.0.jarpkg:maven/org.jline/jline-reader@3.18.0 031
jline-style-3.18.0.jarpkg:maven/org.jline/jline-style@3.18.0 031
jline-terminal-3.18.0.jarpkg:maven/org.jline/jline-terminal@3.18.0 031
jline-terminal-jansi-3.18.0.jarpkg:maven/org.jline/jline-terminal-jansi@3.18.0 033
jline-terminal-jna-3.18.0.jarpkg:maven/org.jline/jline-terminal-jna@3.18.0 033
jmh-core-1.21.jarpkg:maven/org.openjdk.jmh/jmh-core@1.21 031
jmh-generator-annprocess-1.12.jarpkg:maven/org.openjdk.jmh/jmh-generator-annprocess@1.12 029
jmh-generator-asm-1.21.jarpkg:maven/org.openjdk.jmh/jmh-generator-asm@1.21 031
jmh-generator-bytecode-1.21.jarpkg:maven/org.openjdk.jmh/jmh-generator-bytecode@1.21 031
jmh-generator-reflection-1.21.jarpkg:maven/org.openjdk.jmh/jmh-generator-reflection@1.21 031
jna-5.5.0.jarpkg:maven/net.java.dev.jna/jna@5.5.0 041
jna-5.5.0.jar: jnidispatch.dll 02
jna-5.5.0.jar: jnidispatch.dll 02
jnr-constants-0.9.9.jarpkg:maven/com.github.jnr/jnr-constants@0.9.9 027
jnr-ffi-2.1.7.jarpkg:maven/com.github.jnr/jnr-ffi@2.1.7 025
jnr-posix-3.0.44.jarpkg:maven/com.github.jnr/jnr-posix@3.0.44 024
jnr-x86asm-1.0.2.jarpkg:maven/com.github.jnr/jnr-x86asm@1.0.2 024
joda-time-2.8.1.jarcpe:2.3:a:time_project:time:2.8.1:*:*:*:*:*:*:*pkg:maven/joda-time/joda-time@2.8.1 0Highest39
jopt-simple-4.6.jarpkg:maven/net.sf.jopt-simple/jopt-simple@4.6 016
jopt-simple-5.0.4.jarpkg:maven/net.sf.jopt-simple/jopt-simple@5.0.4 019
jsch-0.1.54.jarcpe:2.3:a:jcraft:jsch:0.1.54:*:*:*:*:*:*:*pkg:maven/com.jcraft/jsch@0.1.54 0Highest26
json-path-2.4.0.jarpkg:maven/com.jayway.jsonpath/json-path@2.4.0 024
json-smart-2.3.jarcpe:2.3:a:ini-parser_project:ini-parser:2.3:*:*:*:*:*:*:*pkg:maven/net.minidev/json-smart@2.3 0Low37
json4s-ast_2.10-3.2.11.jarpkg:maven/org.json4s/json4s-ast_2.10@3.2.11 017
json4s-core_2.10-3.2.11.jarpkg:maven/org.json4s/json4s-core_2.10@3.2.11 017
json4s-jackson_2.10-3.2.11.jarpkg:maven/org.json4s/json4s-jackson_2.10@3.2.11 020
jsoup-1.11.3.jarcpe:2.3:a:jsoup:jsoup:1.11.3:*:*:*:*:*:*:*pkg:maven/org.jsoup/jsoup@1.11.3 0Highest33
jsp-2.1-6.1.14.jarcpe:2.3:a:jetty:jetty:6.1.14:*:*:*:*:*:*:*
cpe:2.3:a:mortbay:jetty:6.1.14:*:*:*:*:*:*:*
cpe:2.3:a:mortbay_jetty:jetty:6.1.14:*:*:*:*:*:*:*
pkg:maven/org.mortbay.jetty/jsp-2.1@6.1.14HIGH9Highest35
jsp-api-2.1-6.1.14.jarcpe:2.3:a:jetty:jetty:6.1.14:*:*:*:*:*:*:*
cpe:2.3:a:mortbay:jetty:6.1.14:*:*:*:*:*:*:*
cpe:2.3:a:mortbay_jetty:jetty:6.1.14:*:*:*:*:*:*:*
pkg:maven/org.mortbay.jetty/jsp-api-2.1@6.1.14HIGH9Highest33
jsp-api-2.1.jarpkg:maven/javax.servlet.jsp/jsp-api@2.1 024
jsqlparser-3.1.jarpkg:maven/com.github.jsqlparser/jsqlparser@3.1 026
jsr305-3.0.2.jarpkg:maven/com.google.code.findbugs/jsr305@3.0.2 019
jul-to-slf4j-1.7.16.jarpkg:maven/org.slf4j/jul-to-slf4j@1.7.16 030
junit-4.12.jarcpe:2.3:a:junit:junit4:4.12:*:*:*:*:*:*:*pkg:maven/junit/junit@4.12MEDIUM1Highest12
kafka-clients-2.1.1.jarcpe:2.3:a:apache:kafka:2.1.1:*:*:*:*:*:*:*pkg:maven/org.apache.kafka/kafka-clients@2.1.1HIGH1Highest12
kfs-0.3.jarpkg:maven/net.sf.kosmosfs/kfs@0.3 016
kotlin-compiler-embeddable-1.3.50.jarcpe:2.3:a:jetbrains:kotlin:1.3.50:*:*:*:*:*:*:*pkg:maven/org.jetbrains.kotlin/kotlin-compiler-embeddable@1.3.50MEDIUM1Low16
kotlin-compiler-embeddable-1.3.50.jar: jansi.dll 02
kotlin-compiler-embeddable-1.3.50.jar: jansi.dll 02
kotlin-daemon-embeddable-1.3.50.jarcpe:2.3:a:jetbrains:kotlin:1.3.50:*:*:*:*:*:*:*pkg:maven/org.jetbrains.kotlin/kotlin-daemon-embeddable@1.3.50MEDIUM1Low19
kotlin-reflect-1.3.50.jarcpe:2.3:a:jetbrains:kotlin:1.3.50:*:*:*:*:*:*:*pkg:maven/org.jetbrains.kotlin/kotlin-reflect@1.3.50MEDIUM1Low21
kotlin-script-runtime-1.3.50.jarcpe:2.3:a:jetbrains:kotlin:1.3.50:*:*:*:*:*:*:*pkg:maven/org.jetbrains.kotlin/kotlin-script-runtime@1.3.50MEDIUM1Low19
kotlin-scripting-common-1.3.50.jarcpe:2.3:a:jetbrains:kotlin:1.3.50:*:*:*:*:*:*:*pkg:maven/org.jetbrains.kotlin/kotlin-scripting-common@1.3.50MEDIUM1Low17
kotlin-scripting-compiler-embeddable-1.3.50.jarcpe:2.3:a:jetbrains:kotlin:1.3.50:*:*:*:*:*:*:*pkg:maven/org.jetbrains.kotlin/kotlin-scripting-compiler-embeddable@1.3.50MEDIUM1Low20
kotlin-scripting-compiler-impl-embeddable-1.3.50.jarcpe:2.3:a:jetbrains:kotlin:1.3.50:*:*:*:*:*:*:*pkg:maven/org.jetbrains.kotlin/kotlin-scripting-compiler-impl-embeddable@1.3.50MEDIUM1Low19
kotlin-scripting-jvm-1.3.50.jarcpe:2.3:a:jetbrains:kotlin:1.3.50:*:*:*:*:*:*:*pkg:maven/org.jetbrains.kotlin/kotlin-scripting-jvm@1.3.50MEDIUM1Low18
kotlin-stdlib-1.3.50.jarcpe:2.3:a:jetbrains:kotlin:1.3.50:*:*:*:*:*:*:*pkg:maven/org.jetbrains.kotlin/kotlin-stdlib@1.3.50MEDIUM1Low15
kotlin-stdlib-common-1.3.50.jarcpe:2.3:a:jetbrains:kotlin:1.3.50:*:*:*:*:*:*:*pkg:maven/org.jetbrains.kotlin/kotlin-stdlib-common@1.3.50MEDIUM1Low13
kotlinx-coroutines-core-1.1.1.jarpkg:maven/org.jetbrains.kotlinx/kotlinx-coroutines-core@1.1.1 010
kryo-shaded-3.0.3.jarpkg:maven/com.esotericsoftware/kryo-parent@3.0.3
pkg:maven/com.esotericsoftware/kryo-shaded@3.0.3
 026
kryo-shaded-3.0.3.jar (shaded: com.esotericsoftware:reflectasm:1.10.1)pkg:maven/com.esotericsoftware/reflectasm@1.10.1 09
leveldbjni-all-1.8.jarpkg:maven/org.fusesource.leveldbjni/leveldbjni-all@1.8 035
leveldbjni-all-1.8.jar: leveldbjni.dll 02
leveldbjni-all-1.8.jar: leveldbjni.dll 02
listenablefuture-9999.0-empty-to-avoid-conflict-with-guava.jarpkg:maven/com.google.guava/listenablefuture@9999.0-empty-to-avoid-conflict-with-guava 017
log4j-1.2.17.jarcpe:2.3:a:apache:log4j:1.2.17:*:*:*:*:*:*:*pkg:maven/log4j/log4j@1.2.17CRITICAL2Highest32
log4j-api-2.13.3.jarcpe:2.3:a:apache:log4j:2.13.3:*:*:*:*:*:*:*pkg:maven/org.apache.logging.log4j/log4j-api@2.13.3 0Highest48
lombok-1.18.10.jarpkg:maven/org.projectlombok/lombok@1.18.10 011
lz4-1.3.0.jarpkg:maven/net.jpountz.lz4/lz4@1.3.0 018
lz4-java-1.5.0.jarpkg:maven/org.lz4/lz4-java@1.5.0 020
mail-1.4.7.jarpkg:maven/javax.mail/mail@1.4.7 046
memory-0.9.0.jarpkg:maven/com.yahoo.datasketches/memory@0.9.0 024
metrics-core-3.1.2.jarpkg:maven/io.dropwizard.metrics/metrics-core@3.1.2 024
metrics-core-3.2.2.jarpkg:maven/io.dropwizard.metrics/metrics-core@3.2.2 024
metrics-graphite-3.1.2.jarpkg:maven/io.dropwizard.metrics/metrics-graphite@3.1.2 026
metrics-json-3.1.2.jarpkg:maven/io.dropwizard.metrics/metrics-json@3.1.2 026
metrics-jvm-3.1.2.jarpkg:maven/io.dropwizard.metrics/metrics-jvm@3.1.2 026
micrometer-core-1.2.0.jarpkg:maven/io.micrometer/micrometer-core@1.2.0 040
micrometer-core-1.2.0.jar (shaded: org.pcollections:pcollections:3.0.3)pkg:maven/org.pcollections/pcollections@3.0.3 09
minlog-1.3.0.jarpkg:maven/com.esotericsoftware/minlog@1.3.0 029
mongo-java-driver-3.10.2.jarcpe:2.3:a:mongodb:java_driver:3.10.2:*:*:*:*:*:*:*pkg:maven/org.mongodb/mongo-java-driver@3.10.2 0Low18
mx4j-3.0.2.jarpkg:maven/mx4j/mx4j@3.0.2 017
natty-0.13.jarpkg:maven/com.joestelmach/natty@0.13 026
netty-3.7.0.Final.jarcpe:2.3:a:netty:netty:3.7.0:*:*:*:*:*:*:*pkg:maven/io.netty/netty@3.7.0.FinalUnknown10Highest33
netty-3.9.9.Final.jarcpe:2.3:a:netty:netty:3.9.9:*:*:*:*:*:*:*pkg:maven/io.netty/netty@3.9.9.FinalCRITICAL6Highest33
netty-all-4.0.43.Final.jarcpe:2.3:a:netty:netty:4.0.43:*:*:*:*:*:*:*pkg:maven/io.netty/netty-all@4.0.43.FinalCRITICAL6Highest24
netty-buffer-4.0.56.Final.jarcpe:2.3:a:netty:netty:4.0.56:*:*:*:*:*:*:*pkg:maven/io.netty/netty-buffer@4.0.56.FinalCRITICAL6Highest34
netty-codec-4.0.56.Final.jarcpe:2.3:a:netty:netty:4.0.56:*:*:*:*:*:*:*pkg:maven/io.netty/netty-codec@4.0.56.FinalCRITICAL6Highest34
netty-common-4.0.56.Final.jarcpe:2.3:a:netty:netty:4.0.56:*:*:*:*:*:*:*pkg:maven/io.netty/netty-common@4.0.56.FinalCRITICAL6Highest33
netty-common-4.0.56.Final.jar (shaded: org.jctools:jctools-core:2.1.1)pkg:maven/org.jctools/jctools-core@2.1.1 09
netty-handler-4.0.56.Final.jarcpe:2.3:a:netty:netty:4.0.56:*:*:*:*:*:*:*pkg:maven/io.netty/netty-handler@4.0.56.FinalCRITICAL6Highest34
netty-transport-4.0.56.Final.jarcpe:2.3:a:netty:netty:4.0.56:*:*:*:*:*:*:*pkg:maven/io.netty/netty-transport@4.0.56.FinalCRITICAL6Highest32
objenesis-2.1.jarpkg:maven/org.objenesis/objenesis@2.1 019
opencsv-2.3.jarpkg:maven/net.sf.opencsv/opencsv@2.3 023
oro-2.0.8.jarpkg:maven/oro/oro@2.0.8 019
osgi-resource-locator-1.0.1.jarpkg:maven/org.glassfish.hk2/osgi-resource-locator@1.0.1 030
paranamer-2.3.jarpkg:maven/com.thoughtworks.paranamer/paranamer@2.3 024
paranamer-2.8.jarpkg:maven/com.thoughtworks.paranamer/paranamer@2.8 026
picocli-4.1.4.jarpkg:maven/info.picocli/picocli@4.1.4 020
pig-0.16.0-h2.jarpkg:maven/org.apache.pig/pig@0.16.0 015
protobuf-java-3.6.1.jarpkg:maven/com.google.protobuf/protobuf-java@3.6.1 029
py4j-0.10.7.jarpkg:maven/net.sf.py4j/py4j@0.10.7 016
pyrolite-4.13.jarpkg:maven/net.razorvine/pyrolite@4.13 028
quidem-0.9.jarpkg:maven/net.hydromatic/quidem@0.9 033
rmiio-2.1.2.jarpkg:maven/com.healthmarketscience.rmiio/rmiio@2.1.2 030
scala-compiler-2.10.0.jarcpe:2.3:a:scala-lang:scala:2.10.0:*:*:*:*:*:*:*pkg:maven/org.scala-lang/scala-compiler@2.10.0HIGH1Low20
scala-compiler-2.10.0.jar: diagrams.js 00
scala-compiler-2.10.0.jar: index.js 00
scala-compiler-2.10.0.jar: jquery-ui.jspkg:javascript/jquery-ui-dialog@1.9.0MEDIUM23
scala-compiler-2.10.0.jar: jquery.jspkg:javascript/jquery@1.8.2MEDIUM53
scala-compiler-2.10.0.jar: jquery.layout.js 00
scala-compiler-2.10.0.jar: modernizr.custom.js 00
scala-compiler-2.10.0.jar: raphael-min.js 00
scala-compiler-2.10.0.jar: scheduler.js 00
scala-compiler-2.10.0.jar: template.js 00
scala-compiler-2.10.0.jar: tools.tooltip.js 00
scala-library-2.10.7.jarcpe:2.3:a:scala-lang:scala:2.10.7:*:*:*:*:*:*:*pkg:maven/org.scala-lang/scala-library@2.10.7 0Low14
scala-reflect-2.10.0.jarcpe:2.3:a:scala-lang:scala:2.10.0:*:*:*:*:*:*:*pkg:maven/org.scala-lang/scala-reflect@2.10.0HIGH1Low20
scalap-2.10.0.jarpkg:maven/org.scala-lang/scalap@2.10.0 013
scott-data-hsqldb-0.1.jarpkg:maven/net.hydromatic/scott-data-hsqldb@0.1 035
serializer-2.7.1.jarpkg:maven/xalan/serializer@2.7.1HIGH124
servlet-api-2.5-20081211.jarcpe:2.3:a:jetty:jetty:2.5:20081211:*:*:*:*:*:*
cpe:2.3:a:mortbay:jetty:2.5:20081211:*:*:*:*:*:*
cpe:2.3:a:mortbay_jetty:jetty:2.5:20081211:*:*:*:*:*:*
pkg:maven/org.mortbay.jetty/servlet-api@2.5-20081211MEDIUM6Highest30
servlet-api-2.5-6.1.14.jarcpe:2.3:a:jetty:jetty:6.1.14:*:*:*:*:*:*:*
cpe:2.3:a:mortbay:jetty:6.1.14:*:*:*:*:*:*:*
cpe:2.3:a:mortbay_jetty:jetty:6.1.14:*:*:*:*:*:*:*
pkg:maven/org.mortbay.jetty/servlet-api-2.5@6.1.14HIGH9Highest34
servlet-api-2.5.jarpkg:maven/javax.servlet/servlet-api@2.5 017
shiro-cache-1.4.0.jarcpe:2.3:a:apache:shiro:1.4.0:*:*:*:*:*:*:*pkg:maven/org.apache.shiro/shiro-cache@1.4.0CRITICAL6Highest37
shiro-config-core-1.4.0.jarcpe:2.3:a:apache:shiro:1.4.0:*:*:*:*:*:*:*pkg:maven/org.apache.shiro/shiro-config-core@1.4.0CRITICAL6Highest37
shiro-config-ogdl-1.4.0.jarcpe:2.3:a:apache:shiro:1.4.0:*:*:*:*:*:*:*pkg:maven/org.apache.shiro/shiro-config-ogdl@1.4.0CRITICAL6Highest37
shiro-core-1.4.0.jarcpe:2.3:a:apache:shiro:1.4.0:*:*:*:*:*:*:*pkg:maven/org.apache.shiro/shiro-core@1.4.0CRITICAL6Highest36
shiro-crypto-cipher-1.4.0.jarcpe:2.3:a:apache:shiro:1.4.0:*:*:*:*:*:*:*pkg:maven/org.apache.shiro/shiro-crypto-cipher@1.4.0CRITICAL6Highest37
shiro-crypto-core-1.4.0.jarcpe:2.3:a:apache:shiro:1.4.0:*:*:*:*:*:*:*pkg:maven/org.apache.shiro/shiro-crypto-core@1.4.0CRITICAL6Highest37
shiro-crypto-hash-1.4.0.jarcpe:2.3:a:apache:shiro:1.4.0:*:*:*:*:*:*:*pkg:maven/org.apache.shiro/shiro-crypto-hash@1.4.0CRITICAL6Highest39
shiro-event-1.4.0.jarcpe:2.3:a:apache:shiro:1.4.0:*:*:*:*:*:*:*pkg:maven/org.apache.shiro/shiro-event@1.4.0CRITICAL6Highest37
shiro-lang-1.4.0.jarcpe:2.3:a:apache:shiro:1.4.0:*:*:*:*:*:*:*pkg:maven/org.apache.shiro/shiro-lang@1.4.0CRITICAL6Highest35
sketches-core-0.9.0.jarpkg:maven/com.yahoo.datasketches/sketches-core@0.9.0 024
slf4j-api-1.7.25.jarpkg:maven/org.slf4j/slf4j-api@1.7.25 029
slf4j-api-1.7.28.jarpkg:maven/org.slf4j/slf4j-api@1.7.28 031
slf4j-api-1.7.30.jarpkg:maven/org.slf4j/slf4j-api@1.7.30 031
slf4j-log4j12-1.7.25.jarpkg:maven/org.slf4j/slf4j-log4j12@1.7.25 031
slf4j-log4j12-1.7.28.jarpkg:maven/org.slf4j/slf4j-log4j12@1.7.28 031
snakeyaml-1.24.jarcpe:2.3:a:snakeyaml_project:snakeyaml:1.24:*:*:*:*:*:*:*pkg:maven/org.yaml/snakeyaml@1.24HIGH1Highest30
snappy-java-1.0.4.1.jarcpe:2.3:a:google:snappy:1.0.4.1:*:*:*:*:*:*:*pkg:maven/org.xerial.snappy/snappy-java@1.0.4.1 0Highest29
snappy-java-1.0.4.1.jar: snappyjava.dll 02
snappy-java-1.0.4.1.jar: snappyjava.dll 02
snappy-java-1.1.2.6.jarpkg:maven/org.xerial.snappy/snappy-java@1.1.2.6 026
snappy-java-1.1.2.6.jar: snappyjava.dll 02
snappy-java-1.1.2.6.jar: snappyjava.dll 02
snappy-java-1.1.7.2.jarpkg:maven/org.xerial.snappy/snappy-java@1.1.7.2 028
snappy-java-1.1.7.2.jar: snappyjava.dll 02
snappy-java-1.1.7.2.jar: snappyjava.dll 02
spark-core_2.10-2.2.2.jarcpe:2.3:a:apache:spark:2.2.2:*:*:*:*:*:*:*pkg:maven/org.apache.spark/spark-core_2.10@2.2.2CRITICAL6Highest31
spark-core_2.10-2.2.2.jar (shaded: org.eclipse.jetty:jetty-client:9.3.11.v20160721)cpe:2.3:a:eclipse:jetty:9.3.11:20160721:*:*:*:*:*:*
cpe:2.3:a:jetty:jetty:9.3.11:20160721:*:*:*:*:*:*
pkg:maven/org.eclipse.jetty/jetty-client@9.3.11.v20160721CRITICAL9Highest13
spark-core_2.10-2.2.2.jar (shaded: org.eclipse.jetty:jetty-continuation:9.3.11.v20160721)cpe:2.3:a:eclipse:jetty:9.3.11:20160721:*:*:*:*:*:*
cpe:2.3:a:jetty:jetty:9.3.11:20160721:*:*:*:*:*:*
pkg:maven/org.eclipse.jetty/jetty-continuation@9.3.11.v20160721CRITICAL9Highest13
spark-core_2.10-2.2.2.jar (shaded: org.eclipse.jetty:jetty-http:9.3.11.v20160721)cpe:2.3:a:eclipse:jetty:9.3.11:20160721:*:*:*:*:*:*
cpe:2.3:a:jetty:jetty:9.3.11:20160721:*:*:*:*:*:*
pkg:maven/org.eclipse.jetty/jetty-http@9.3.11.v20160721CRITICAL10Highest13
spark-core_2.10-2.2.2.jar (shaded: org.eclipse.jetty:jetty-io:9.3.11.v20160721)pkg:maven/org.eclipse.jetty/jetty-io@9.3.11.v20160721HIGH113
spark-core_2.10-2.2.2.jar (shaded: org.eclipse.jetty:jetty-plus:9.3.11.v20160721)cpe:2.3:a:eclipse:jetty:9.3.11:20160721:*:*:*:*:*:*
cpe:2.3:a:jetty:jetty:9.3.11:20160721:*:*:*:*:*:*
pkg:maven/org.eclipse.jetty/jetty-plus@9.3.11.v20160721CRITICAL10Highest13
spark-core_2.10-2.2.2.jar (shaded: org.eclipse.jetty:jetty-proxy:9.3.11.v20160721)pkg:maven/org.eclipse.jetty/jetty-proxy@9.3.11.v20160721 013
spark-core_2.10-2.2.2.jar (shaded: org.eclipse.jetty:jetty-security:9.3.11.v20160721)cpe:2.3:a:eclipse:jetty:9.3.11:20160721:*:*:*:*:*:*
cpe:2.3:a:jetty:jetty:9.3.11:20160721:*:*:*:*:*:*
pkg:maven/org.eclipse.jetty/jetty-security@9.3.11.v20160721CRITICAL9Highest13
spark-core_2.10-2.2.2.jar (shaded: org.eclipse.jetty:jetty-server:9.3.11.v20160721)cpe:2.3:a:eclipse:jetty:9.3.11:20160721:*:*:*:*:*:*
cpe:2.3:a:jetty:jetty:9.3.11:20160721:*:*:*:*:*:*
pkg:maven/org.eclipse.jetty/jetty-server@9.3.11.v20160721CRITICAL10Highest13
spark-core_2.10-2.2.2.jar (shaded: org.eclipse.jetty:jetty-servlet:9.3.11.v20160721)cpe:2.3:a:eclipse:jetty:9.3.11:20160721:*:*:*:*:*:*
cpe:2.3:a:jetty:jetty:9.3.11:20160721:*:*:*:*:*:*
pkg:maven/org.eclipse.jetty/jetty-servlet@9.3.11.v20160721CRITICAL9Highest13
spark-core_2.10-2.2.2.jar (shaded: org.eclipse.jetty:jetty-servlets:9.3.11.v20160721)cpe:2.3:a:eclipse:jetty:9.3.11:20160721:*:*:*:*:*:*
cpe:2.3:a:jetty:jetty:9.3.11:20160721:*:*:*:*:*:*
pkg:maven/org.eclipse.jetty/jetty-servlets@9.3.11.v20160721CRITICAL9Highest13
spark-core_2.10-2.2.2.jar (shaded: org.eclipse.jetty:jetty-util:9.3.11.v20160721)cpe:2.3:a:eclipse:jetty:9.3.11:20160721:*:*:*:*:*:*
cpe:2.3:a:jetty:jetty:9.3.11:20160721:*:*:*:*:*:*
pkg:maven/org.eclipse.jetty/jetty-util@9.3.11.v20160721CRITICAL9Highest13
spark-core_2.10-2.2.2.jar: additional-metrics.js 00
spark-core_2.10-2.2.2.jar: bootstrap-tooltip.js 00
spark-core_2.10-2.2.2.jar: d3.min.js 00
spark-core_2.10-2.2.2.jar: dagre-d3.min.js 00
spark-core_2.10-2.2.2.jar: dataTables.bootstrap.min.js 00
spark-core_2.10-2.2.2.jar: dataTables.rowsGroup.js 00
spark-core_2.10-2.2.2.jar: executorspage.js 00
spark-core_2.10-2.2.2.jar: graphlib-dot.min.js 00
spark-core_2.10-2.2.2.jar: historypage-common.js 00
spark-core_2.10-2.2.2.jar: historypage.js 00
spark-core_2.10-2.2.2.jar: initialize-tooltips.js 00
spark-core_2.10-2.2.2.jar: jquery-1.11.1.min.jspkg:javascript/jquery@1.11.1.minMEDIUM43
spark-core_2.10-2.2.2.jar: jquery.blockUI.min.js 00
spark-core_2.10-2.2.2.jar: jquery.cookies.2.2.0.min.js 00
spark-core_2.10-2.2.2.jar: jquery.dataTables.1.10.4.min.js 00
spark-core_2.10-2.2.2.jar: jquery.mustache.jspkg:javascript/mustache.js@0.8.1medium13
spark-core_2.10-2.2.2.jar: jsonFormatter.min.js 00
spark-core_2.10-2.2.2.jar: log-view.js 00
spark-core_2.10-2.2.2.jar: sorttable.js 00
spark-core_2.10-2.2.2.jar: spark-dag-viz.js 00
spark-core_2.10-2.2.2.jar: table.js 00
spark-core_2.10-2.2.2.jar: timeline-view.js 00
spark-core_2.10-2.2.2.jar: utils.js 00
spark-core_2.10-2.2.2.jar: vis.min.js 00
spark-core_2.10-2.2.2.jar: webui.js 00
spark-launcher_2.10-2.2.2.jarcpe:2.3:a:apache:spark:2.2.2:*:*:*:*:*:*:*pkg:maven/org.apache.spark/spark-launcher_2.10@2.2.2CRITICAL6Highest32
spark-network-common_2.10-2.2.2.jarcpe:2.3:a:apache:spark:2.2.2:*:*:*:*:*:*:*pkg:maven/org.apache.spark/spark-network-common_2.10@2.2.2CRITICAL6Highest32
spark-network-common_2.10-2.2.2.jar (shaded: com.google.guava:guava:14.0.1)cpe:2.3:a:google:guava:14.0.1:*:*:*:*:*:*:*pkg:maven/com.google.guava/guava@14.0.1MEDIUM2Highest11
spark-network-shuffle_2.10-2.2.2.jarcpe:2.3:a:apache:spark:2.2.2:*:*:*:*:*:*:*pkg:maven/org.apache.spark/spark-network-shuffle_2.10@2.2.2CRITICAL6Highest34
spark-tags_2.10-2.2.2.jarcpe:2.3:a:apache:spark:2.2.2:*:*:*:*:*:*:*pkg:maven/org.apache.spark/spark-tags_2.10@2.2.2CRITICAL6Highest30
spark-unsafe_2.10-2.2.2.jarcpe:2.3:a:apache:spark:2.2.2:*:*:*:*:*:*:*pkg:maven/org.apache.spark/spark-unsafe_2.10@2.2.2CRITICAL6Highest32
spring-aop-4.3.23.RELEASE.jarcpe:2.3:a:pivotal_software:spring_framework:4.3.23:release:*:*:*:*:*:*pkg:maven/org.springframework/spring-aop@4.3.23.RELEASEMEDIUM1Highest12
spring-beans-4.3.23.RELEASE.jarcpe:2.3:a:pivotal_software:spring_framework:4.3.23:release:*:*:*:*:*:*pkg:maven/org.springframework/spring-beans@4.3.23.RELEASEMEDIUM1Highest14
spring-context-4.3.23.RELEASE.jarcpe:2.3:a:pivotal_software:spring_framework:4.3.23:release:*:*:*:*:*:*pkg:maven/org.springframework/spring-context@4.3.23.RELEASEMEDIUM1Highest10
spring-core-4.3.23.RELEASE.jarcpe:2.3:a:pivotal_software:spring_framework:4.3.23:release:*:*:*:*:*:*
cpe:2.3:a:springsource:spring_framework:4.3.23:release:*:*:*:*:*:*
cpe:2.3:a:vmware:springsource_spring_framework:4.3.23:release:*:*:*:*:*:*
pkg:maven/org.springframework/spring-core@4.3.23.RELEASEMEDIUM1Highest15
spring-expression-4.3.23.RELEASE.jarcpe:2.3:a:pivotal_software:spring_framework:4.3.23:release:*:*:*:*:*:*pkg:maven/org.springframework/spring-expression@4.3.23.RELEASEMEDIUM1Highest14
spring-shell-1.2.0.RELEASE.jarpkg:maven/org.springframework.shell/spring-shell@1.2.0.RELEASE 012
spring-web-4.3.23.RELEASE.jarcpe:2.3:a:pivotal_software:spring_framework:4.3.23:release:*:*:*:*:*:*pkg:maven/org.springframework/spring-web@4.3.23.RELEASEMEDIUM1Highest12
sqlline-1.11.0.jarpkg:maven/sqlline/sqlline@1.11.0 033
stax-api-1.0-2.jarpkg:maven/javax.xml.stream/stax-api@1.0-2 012
stream-2.7.0.jarpkg:maven/com.clearspring.analytics/stream@2.7.0 026
stringtemplate-3.2.1.jarpkg:maven/org.antlr/stringtemplate@3.2.1 024
tpcds-0.4.jarpkg:maven/net.hydromatic/tpcds@0.4 030
tpcds-1.2.jarpkg:maven/com.teradata.tpcds/tpcds@1.2 034
tpch-1.0.jarpkg:maven/io.prestosql.tpch/tpch@1.0 034
trove4j-1.0.20181211.jarpkg:maven/org.jetbrains.intellij.deps/trove4j@1.0.20181211 010
unused-1.0.0.jarcpe:2.3:a:apache:spark:1.0.0:*:*:*:*:*:*:*pkg:maven/org.spark-project.spark/unused@1.0.0CRITICAL4Low23
uzaygezen-core-0.2.jarpkg:maven/com.google.uzaygezen/uzaygezen-core@0.2 028
validation-api-1.1.0.Final.jarpkg:maven/javax.validation/validation-api@1.1.0.Final 022
xalan-2.7.1.jarcpe:2.3:a:apache:xalan-java:2.7.1:*:*:*:*:*:*:*pkg:maven/xalan/xalan@2.7.1HIGH1Low45
xbean-asm5-shaded-4.4.jarpkg:maven/org.apache.xbean/xbean-asm5-shaded@4.4 030
xbean-asm5-shaded-4.4.jar (shaded: org.apache.xbean:xbean-asm-util:4.4)pkg:maven/org.apache.xbean/xbean-asm-util@4.4 011
xercesImpl-2.9.1.jarpkg:maven/xerces/xercesImpl@2.9.1Unknown162
xml-apis-1.3.04.jarpkg:maven/xml-apis/xml-apis@1.3.04 060
xml-resolver-1.2.jarpkg:maven/xml-resolver/xml-resolver@1.2 020
xmlenc-0.52.jarpkg:maven/xmlenc/xmlenc@0.52 015
xz-1.0.jarcpe:2.3:a:tukaani:xz:1.0:*:*:*:*:*:*:*pkg:maven/org.tukaani/xz@1.0 0Highest14
zookeeper-3.4.6.jarcpe:2.3:a:apache:zookeeper:3.4.6:*:*:*:*:*:*:*pkg:maven/org.apache.zookeeper/zookeeper@3.4.6HIGH5Highest29
zstd-jni-1.3.7-1.jarpkg:maven/com.github.luben/zstd-jni@1.3.7-1 029
zstd-jni-1.3.7-1.jar: libzstd-jni.dll 02
zstd-jni-1.3.7-1.jar: libzstd-jni.dll 02

Dependencies

HdrHistogram-2.1.11.jar

Description:

        HdrHistogram supports the recording and analyzing sampled data value
        counts across a configurable integer value range with configurable value
        precision within the range. Value precision is expressed as the number of
        significant digits in the value recording, and provides control over value
        quantization behavior across the value range and the subsequent value
        resolution at any given level.
    

License:

Public Domain, per Creative Commons CC0: http://creativecommons.org/publicdomain/zero/1.0/
BSD-2-Clause: https://opensource.org/licenses/BSD-2-Clause
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.hdrhistogram/HdrHistogram/2.1.11/1b035a1a4ce5d3441a4a1a331d04839ef487ec49/HdrHistogram-2.1.11.jar
MD5: f3a8c558c7786948ff98819f8eac191f
SHA1: 1b035a1a4ce5d3441a4a1a331d04839ef487ec49
SHA256:96671e0898b35d602869efd9339b1929cdac855d2bc64922efbbcdd2209816bc
Referenced In Projects/Scopes:
  • calcite:sqllineClasspath
  • geode:default
  • geode:compileClasspath
  • geode:runtimeClasspath

Identifiers

LatencyUtils-2.0.3.jar

Description:

        LatencyUtils is a package that provides latency recording and reporting utilities.
    

License:

Public Domain, per Creative Commons CC0: http://creativecommons.org/publicdomain/zero/1.0/
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.latencyutils/LatencyUtils/2.0.3/769c0b82cb2421c8256300e907298a9410a2a3d3/LatencyUtils-2.0.3.jar
MD5: 2ad12e1ef7614cecfb0483fa9ac6da73
SHA1: 769c0b82cb2421c8256300e907298a9410a2a3d3
SHA256:a32a9ffa06b2f4e01c5360f8f9df7bc5d9454a5d373cd8f361347fa5a57165ec
Referenced In Projects/Scopes:
  • calcite:sqllineClasspath
  • geode:default
  • geode:compileClasspath
  • geode:runtimeClasspath

Identifiers

RoaringBitmap-0.5.11.jar

Description:

Roaring bitmaps are compressed bitmaps (also called bitsets) which tend to outperform
     conventional compressed bitmaps such as WAH or Concise. 

License:

Apache 2: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.roaringbitmap/RoaringBitmap/0.5.11/e6b04760ea1896fc36beea4f11b8649481bf5af7/RoaringBitmap-0.5.11.jar
MD5: 5598b28306a4480ad5c7debcdb516df2
SHA1: e6b04760ea1896fc36beea4f11b8649481bf5af7
SHA256:bad2fcf146d4a41cb188a28a4216f15cc470cd2fb6417a7d0005e7f8221ff312
Referenced In Projects/Scopes:
  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • spark:runtimeClasspath

Identifiers

ST4-4.0.4.jar

Description:

StringTemplate is a java template engine for generating source code,
web pages, emails, or any other formatted text output.

StringTemplate is particularly good at multi-targeted code generators,
multiple site skins, and internationalization/localization. 

It evolved over years of effort developing jGuru.com. 

StringTemplate also generates the stringtemplate website: http://www.stringtemplate.org
and powers the ANTLR v3 code generator. Its distinguishing characteristic 
is that unlike other engines, it strictly enforces model-view separation.

Strict separation makes websites and code generators more flexible
and maintainable; it also provides an excellent defense against malicious
template authors.

There are currently about 600 StringTemplate source downloads a month.
    

License:

BSD licence: http://antlr.org/license.html
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.antlr/ST4/4.0.4/467a2aa12be6d0f0f68c70eecf6714ab733027ac/ST4-4.0.4.jar
MD5: 06856c607f242639cd52ef2b4c63ebc9
SHA1: 467a2aa12be6d0f0f68c70eecf6714ab733027ac
SHA256:17cc49dc535a0fbe58c3a8634e774572bed31eb73415e9ce9d2703b977bf356f
Referenced In Projects/Scopes:
  • piglet:compileClasspath
  • piglet:runtimeClasspath
  • calcite:sqllineClasspath
  • pig:runtimeClasspath
  • piglet:default
  • pig:default
  • pig:compileClasspath

Identifiers

Saxon-HE-9.9.1-6.jar

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/net.sf.saxon/Saxon-HE/9.9.1-6/1905b27b0e4df1ee3a0857f403f64558ef780e6f/Saxon-HE-9.9.1-6.jar
MD5: 173398f1e38f077a0583900d99b4f5f9
SHA1: 1905b27b0e4df1ee3a0857f403f64558ef780e6f
SHA256:00d1d0428752a245f1725293c0c0d102f735455b14028777baef42a90f3d93ec
Referenced In Projects/Scopes:

  • splunk:checkstyle
  • cassandra:checkstyle
  • piglet:checkstyle
  • calcite:checkstyle
  • bom:checkstyle
  • function:checkstyle
  • spark:checkstyle
  • plus:checkstyle
  • pig:checkstyle
  • druid:checkstyle
  • csv:checkstyle
  • core:checkstyle
  • server:checkstyle
  • file:checkstyle
  • geode:checkstyle
  • mongodb:checkstyle
  • elasticsearch:checkstyle
  • release:checkstyle
  • kafka:checkstyle
  • ubenchmark:checkstyle
  • linq4j:checkstyle
  • redis:checkstyle
  • babel:checkstyle
  • example:checkstyle
  • innodb:checkstyle

Identifiers

accessors-smart-1.2.jar

Description:

Java reflect give poor performance on getter setter an constructor calls, accessors-smart use ASM to speed up those calls.
    

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/net.minidev/accessors-smart/1.2/c592b500269bfde36096641b01238a8350f8aa31/accessors-smart-1.2.jar
MD5: c28b871d258b4d347559d2eb7ecec4a3
SHA1: c592b500269bfde36096641b01238a8350f8aa31
SHA256:0c7c265d62fc007124dc32b91336e9c4272651d629bc5fa1a4e4e3bc758eb2e4
Referenced In Projects/Scopes:
  • babel:default
  • piglet:runtimeClasspath
  • spark:default
  • splunk:default
  • function:runtimeClasspath
  • kafka:default
  • redis:runtimeClasspath
  • server:runtimeClasspath
  • cassandra:runtimeClasspath
  • druid:default
  • spark:runtimeClasspath
  • core:default
  • babel:runtimeClasspath
  • elasticsearch:runtimeClasspath
  • innodb:default
  • piglet:default
  • pig:default
  • plus:runtimeClasspath
  • function:default
  • csv:default
  • core:implementationDependenciesMetadata
  • kafka:runtimeClasspath
  • splunk:runtimeClasspath
  • core:compileClasspath
  • file:runtimeClasspath
  • innodb:runtimeClasspath
  • calcite:sqllineClasspath
  • core:runtimeClasspath
  • geode:default
  • elasticsearch:default
  • druid:runtimeClasspath
  • mongodb:runtimeClasspath
  • file:default
  • server:default
  • pig:runtimeClasspath
  • mongodb:default
  • redis:default
  • geode:runtimeClasspath
  • csv:runtimeClasspath
  • plus:default
  • cassandra:default

Identifiers

activation-1.1.1.jar

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/javax.activation/activation/1.1.1/485de3a253e23f645037828c07f1d7f1af40763a/activation-1.1.1.jar
MD5: 46a37512971d8eca81c3fcf245bf07d2
SHA1: 485de3a253e23f645037828c07f1d7f1af40763a
SHA256:ae475120e9fcd99b4b00b38329bd61cdc5eb754eee03fe66c01f50e137724f99
Referenced In Projects/Scopes:

  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • spark:runtimeClasspath

Identifiers

activation-1.1.jar

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/javax.activation/activation/1.1/e6cb541461c2834bdea3eb920f1884d1eb508b50/activation-1.1.jar
MD5: 8ae38e87cd4f86059c0294a8fe3e0b18
SHA1: e6cb541461c2834bdea3eb920f1884d1eb508b50
SHA256:2881c79c9d6ef01c58e62beea13e9d1ac8b8baa16f2fc198ad6e6776defdcdd3
Referenced In Projects/Scopes:

  • piglet:compileClasspath
  • piglet:runtimeClasspath
  • piglet:default

Identifiers

aggdesigner-algorithm-6.0.jar

Description:

Algorithm that designs aggregate tables

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/net.hydromatic/aggdesigner-algorithm/6.0/bd0cd7ad1e3791a8a0929df0dcdbffc02fd0bab4/aggdesigner-algorithm-6.0.jar
MD5: 4a49fceeeb87328bc23d9da4879112d6
SHA1: bd0cd7ad1e3791a8a0929df0dcdbffc02fd0bab4
SHA256:9c06b3af57653eaf004231818cc8e91569d832d0b24ae1a8600daf023c050bfb
Referenced In Projects/Scopes:

  • babel:default
  • piglet:runtimeClasspath
  • spark:default
  • splunk:default
  • function:runtimeClasspath
  • kafka:default
  • redis:runtimeClasspath
  • server:runtimeClasspath
  • cassandra:runtimeClasspath
  • druid:default
  • spark:runtimeClasspath
  • core:default
  • babel:runtimeClasspath
  • elasticsearch:runtimeClasspath
  • innodb:default
  • piglet:default
  • pig:default
  • plus:runtimeClasspath
  • function:default
  • csv:default
  • core:implementationDependenciesMetadata
  • kafka:runtimeClasspath
  • splunk:runtimeClasspath
  • core:compileClasspath
  • file:runtimeClasspath
  • innodb:runtimeClasspath
  • calcite:sqllineClasspath
  • core:runtimeClasspath
  • geode:default
  • elasticsearch:default
  • druid:runtimeClasspath
  • mongodb:runtimeClasspath
  • file:default
  • server:default
  • pig:runtimeClasspath
  • mongodb:default
  • redis:default
  • geode:runtimeClasspath
  • csv:runtimeClasspath
  • plus:default
  • cassandra:default

Identifiers

airline-0.7.jar

Description:

Java annotation-based framework for parsing Git like command line structures

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/io.airlift/airline/0.7/16edc11b7d2d09e2db512f8028f05b9c48532229/airline-0.7.jar
MD5: 74da3d8dd81d16835097bcc094227430
SHA1: 16edc11b7d2d09e2db512f8028f05b9c48532229
SHA256:2ebe3cc06cadee9273a9bdaff6b582e07c201c0bb44881760eed49861374756d
Referenced In Projects/Scopes:

  • calcite:sqllineClasspath
  • plus:compileClasspath
  • plus:default
  • plus:runtimeClasspath

Identifiers

animal-sniffer-annotations-1.18.jar

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.codehaus.mojo/animal-sniffer-annotations/1.18/f7aa683ea79dc6681ee9fb95756c999acbb62f5d/animal-sniffer-annotations-1.18.jar
MD5: f0a84f9b30590b3aa76edc893d6fe4ff
SHA1: f7aa683ea79dc6681ee9fb95756c999acbb62f5d
SHA256:47f05852b48ee9baefef80fa3d8cea60efa4753c0013121dd7fe5eef2e5c729d
Referenced In Projects/Scopes:

  • splunk:checkstyle
  • cassandra:checkstyle
  • piglet:checkstyle
  • calcite:checkstyle
  • bom:checkstyle
  • function:checkstyle
  • spark:checkstyle
  • plus:checkstyle
  • pig:checkstyle
  • druid:checkstyle
  • csv:checkstyle
  • core:checkstyle
  • server:checkstyle
  • file:checkstyle
  • geode:checkstyle
  • mongodb:checkstyle
  • elasticsearch:checkstyle
  • release:checkstyle
  • kafka:checkstyle
  • ubenchmark:checkstyle
  • linq4j:checkstyle
  • redis:checkstyle
  • babel:checkstyle
  • example:checkstyle
  • innodb:checkstyle

Identifiers

annotations-13.0.jar

Description:

A set of annotations used for code inspection support and code documentation.

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.jetbrains/annotations/13.0/919f0dfe192fb4e063e7dacadee7f8bb9a2672a9/annotations-13.0.jar
MD5: f4fb462172517b46b6cd90003508515a
SHA1: 919f0dfe192fb4e063e7dacadee7f8bb9a2672a9
SHA256:ace2a10dc8e2d5fd34925ecac03e4988b2c0f851650c94b8cef49ba1bd111478
Referenced In Projects/Scopes:
  • core:kotlinCompilerClasspath
  • core:kotlinCompilerPluginClasspath

Identifiers

annotations-2.0.3.jar

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/com.google.code.findbugs/annotations/2.0.3/191383fa0deb88f393558eec231b206edc23aba0/annotations-2.0.3.jar
MD5: 276433efe0027762cffb7e4adc9262da
SHA1: 191383fa0deb88f393558eec231b206edc23aba0
SHA256:3ad1e8f838dbd6da3424a451d5d9262ea9c526eddb627b54b885cfd332efbc99
Referenced In Projects/Scopes:

  • calcite:sqllineClasspath
  • plus:compileClasspath
  • plus:default
  • plus:runtimeClasspath

Identifiers

ant-1.6.5.jar

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/ant/ant/1.6.5/7d18faf23df1a5c3a43613952e0e8a182664564b/ant-1.6.5.jar
MD5: c5c499f1eef9367c657e89bb881c69aa
SHA1: 7d18faf23df1a5c3a43613952e0e8a182664564b
SHA256:f06a601c718a7c9262d74b7ec3baad14c82584e89235089b4f821d6a44d9e1e4
Referenced In Projects/Scopes:

  • piglet:compileClasspath
  • piglet:runtimeClasspath
  • calcite:sqllineClasspath
  • pig:runtimeClasspath
  • piglet:default
  • pig:default
  • pig:compileClasspath

Identifiers

  • pkg:maven/ant/ant@1.6.5  (Confidence:Highest)
  • cpe:2.3:a:apache:ant:1.6.5:*:*:*:*:*:*:*  (Confidence:Low)  

CVE-2020-1945  

Apache Ant 1.1 to 1.9.14 and 1.10.0 to 1.10.7 uses the default temporary directory identified by the Java system property java.io.tmpdir for several tasks and may thus leak sensitive information. The fixcrlf and replaceregexp tasks also copy files from the temporary directory back into the build tree allowing an attacker to inject modified source files into the build process.
CWE-200 Information Exposure

CVSSv2:
  • Base Score: LOW (3.3)
  • Vector: /AV:L/AC:M/Au:N/C:P/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.3)
  • Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

antlr-2.7.7.jar

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/antlr/antlr/2.7.7/83cd2cd674a217ade95a4bb83a8a14f351f48bd0/antlr-2.7.7.jar
MD5: f8f1352c52a4c6a500b597596501fc64
SHA1: 83cd2cd674a217ade95a4bb83a8a14f351f48bd0
SHA256:88fbda4b912596b9f56e8e12e580cc954bacfb51776ecfddd3e18fc1cf56dc4c
Referenced In Projects/Scopes:

  • piglet:compileClasspath
  • splunk:checkstyle
  • cassandra:checkstyle
  • piglet:checkstyle
  • calcite:checkstyle
  • bom:checkstyle
  • piglet:runtimeClasspath
  • function:checkstyle
  • spark:checkstyle
  • plus:checkstyle
  • pig:checkstyle
  • druid:checkstyle
  • csv:checkstyle
  • piglet:default
  • pig:default
  • core:checkstyle
  • server:checkstyle
  • file:checkstyle
  • calcite:sqllineClasspath
  • geode:default
  • geode:checkstyle
  • geode:compileClasspath
  • mongodb:checkstyle
  • elasticsearch:checkstyle
  • release:checkstyle
  • kafka:checkstyle
  • ubenchmark:checkstyle
  • linq4j:checkstyle
  • redis:checkstyle
  • babel:checkstyle
  • example:checkstyle
  • pig:runtimeClasspath
  • geode:runtimeClasspath
  • pig:compileClasspath
  • innodb:checkstyle

Identifiers

antlr-runtime-3.4.jar

Description:

A framework for constructing recognizers, compilers, and translators from grammatical descriptions containing Java, C#, C++, or Python actions.

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.antlr/antlr-runtime/3.4/8f011408269a8e42b8548687e137d8eeb56df4b4/antlr-runtime-3.4.jar
MD5: 0e0318be407e51fdf7ba6777eabfdf73
SHA1: 8f011408269a8e42b8548687e137d8eeb56df4b4
SHA256:5b7cf53b7b30b034023f58030c8147c433f2bee0fe7dec8fae6bebf3708c5a63
Referenced In Projects/Scopes:

  • piglet:compileClasspath
  • piglet:runtimeClasspath
  • pig:runtimeClasspath
  • piglet:default
  • pig:default
  • pig:compileClasspath

Identifiers

antlr-runtime-3.5.2.jar

Description:

A framework for constructing recognizers, compilers, and translators from grammatical descriptions containing Java, C#, C++, or Python actions.

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.antlr/antlr-runtime/3.5.2/cd9cd41361c155f3af0f653009dcecb08d8b4afd/antlr-runtime-3.5.2.jar
MD5: 1fbbae2cb72530207c20b797bdabd029
SHA1: cd9cd41361c155f3af0f653009dcecb08d8b4afd
SHA256:ce3fc8ecb10f39e9a3cddcbb2ce350d272d9cd3d0b1e18e6fe73c3b9389c8734
Referenced In Projects/Scopes:

  • file:compileClasspath
  • file:runtimeClasspath
  • calcite:sqllineClasspath
  • csv:runtimeClasspath
  • file:default
  • csv:default

Identifiers

antlr4-runtime-4.7.2.jar

Description:

The ANTLR 4 Runtime

License:

http://www.antlr.org/license.html
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.antlr/antlr4-runtime/4.7.2/e27d8ab4f984f9d186f54da984a6ab1cccac755e/antlr4-runtime-4.7.2.jar
MD5: 2592a7a5d7320ad5f6677bf41f77a101
SHA1: e27d8ab4f984f9d186f54da984a6ab1cccac755e
SHA256:4c518b87d4bdff8b44cd8cbc1af816e944b62a3fe5b80b781501cf1f4759bbc4
Referenced In Projects/Scopes:
  • splunk:checkstyle
  • cassandra:checkstyle
  • piglet:checkstyle
  • calcite:checkstyle
  • bom:checkstyle
  • function:checkstyle
  • spark:checkstyle
  • plus:checkstyle
  • pig:checkstyle
  • druid:checkstyle
  • csv:checkstyle
  • core:checkstyle
  • server:checkstyle
  • file:checkstyle
  • geode:checkstyle
  • mongodb:checkstyle
  • elasticsearch:checkstyle
  • release:checkstyle
  • kafka:checkstyle
  • ubenchmark:checkstyle
  • linq4j:checkstyle
  • redis:checkstyle
  • babel:checkstyle
  • example:checkstyle
  • innodb:checkstyle

Identifiers

aopalliance-1.0.jar

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/aopalliance/aopalliance/1.0/235ba8b489512805ac13a8f9ea77a1ca5ebe3e8/aopalliance-1.0.jar
MD5: 04177054e180d09e3998808efa0401c7
SHA1: 0235ba8b489512805ac13a8f9ea77a1ca5ebe3e8
SHA256:0addec670fedcd3f113c5c8091d783280d23f75e3acb841b61a9cdb079376a08
Referenced In Projects/Scopes:

  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • spark:runtimeClasspath

Identifiers

aopalliance-repackaged-2.4.0-b34.jar

Description:

Dependency Injection Kernel

License:

https://glassfish.java.net/nonav/public/CDDL+GPL_1_1.html
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.glassfish.hk2.external/aopalliance-repackaged/2.4.0-b34/3d5e856dbc91a3a2b0bcb3a3424f8b62421ae4cf/aopalliance-repackaged-2.4.0-b34.jar
MD5: 57983543b3574e117d6f03ceff5f238c
SHA1: 3d5e856dbc91a3a2b0bcb3a3424f8b62421ae4cf
SHA256:5d3cb0cece722c7ba8ab987b931053cdbcb0cb12ad5c8c8a7691eb6f7e60a64b
Referenced In Projects/Scopes:
  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • spark:runtimeClasspath

Identifiers

apacheds-i18n-2.0.0-M15.jar

Description:

Internationalization of errors and other messages

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.directory.server/apacheds-i18n/2.0.0-M15/71c61c84683152ec2a6a65f3f96fe534e304fa22/apacheds-i18n-2.0.0-M15.jar
MD5: f5877c02fd56ade67713560e589c81b9
SHA1: 71c61c84683152ec2a6a65f3f96fe534e304fa22
SHA256:bd3b7cece7fc6364cbce32b9edd0e9628a3e889c6a93cdeff1b5e2131e2a007c
Referenced In Projects/Scopes:
  • piglet:compileClasspath
  • piglet:runtimeClasspath
  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • piglet:default
  • spark:runtimeClasspath

Identifiers

CVE-2020-7791  

This affects the package i18n before 2.1.15. Vulnerability arises out of insufficient handling of erroneous language tags in src/i18n/Concrete/TextLocalizer.cs and src/i18n/LocalizedApplication.cs.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions:

apacheds-kerberos-codec-2.0.0-M15.jar

Description:

The Kerberos protocol encoder/decoder module

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.directory.server/apacheds-kerberos-codec/2.0.0-M15/1c16e4e477183641c5f0dd5cdecd27ec331bacb5/apacheds-kerberos-codec-2.0.0-M15.jar
MD5: 3118e22eac44e150c383df1d417772f4
SHA1: 1c16e4e477183641c5f0dd5cdecd27ec331bacb5
SHA256:4996f5b72497e94dd86d64a370158c4fb0049eea9b17ff8b27a4671d6c136ded
Referenced In Projects/Scopes:
  • piglet:compileClasspath
  • piglet:runtimeClasspath
  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • piglet:default
  • spark:runtimeClasspath

Identifiers

api-asn1-api-1.0.0-M20.jar

Description:

ASN.1 API

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.directory.api/api-asn1-api/1.0.0-M20/5e6486ffa3125ba44dc410ead166e1d6ba8ac76d/api-asn1-api-1.0.0-M20.jar
MD5: cf4561832dab76e9f37461342ec18d17
SHA1: 5e6486ffa3125ba44dc410ead166e1d6ba8ac76d
SHA256:484aaf4b888b0eb699d95bea265c2d5b6ebec951d70e5c5f7691cd52dd4c8298
Referenced In Projects/Scopes:
  • piglet:compileClasspath
  • piglet:runtimeClasspath
  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • piglet:default
  • spark:runtimeClasspath

Identifiers

api-util-1.0.0-M20.jar

Description:

Utilities shared across this top level project

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.directory.api/api-util/1.0.0-M20/a871abf060b3cf83fc6dc4d7e3d151fce50ac3cb/api-util-1.0.0-M20.jar
MD5: 2c5a6722666882024becdd64301be492
SHA1: a871abf060b3cf83fc6dc4d7e3d151fce50ac3cb
SHA256:fd32fd047ccf143c58d093b58811aa81e539f8cf83c1187809f1a241a1df12d1
Referenced In Projects/Scopes:
  • piglet:compileClasspath
  • piglet:runtimeClasspath
  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • piglet:default
  • spark:runtimeClasspath

Identifiers

CVE-2018-1337  

In Apache Directory LDAP API before 1.0.2, a bug in the way the SSL Filter was setup made it possible for another thread to use the connection before the TLS layer has been established, if the connection has already been used and put back in a pool of connections, leading to leaking any information contained in this request (including the credentials when sending a BIND request).
CWE-200 Information Exposure

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions:

apiguardian-api-1.1.0.jar

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apiguardian/apiguardian-api/1.1.0/fc9dff4bb36d627bdc553de77e1f17efd790876c/apiguardian-api-1.1.0.jar
MD5: 944805817b648e558ed6be6fc7f054f3
SHA1: fc9dff4bb36d627bdc553de77e1f17efd790876c
SHA256:a9aae9ff8ae3e17a2a18f79175e82b16267c246fbbd3ca9dfbbb290b08dcfdd4
Referenced In Projects/Scopes:

  • cassandra:compileClasspath
  • piglet:compileClasspath
  • piglet:runtimeClasspath
  • spark:default
  • splunk:default
  • kafka:default
  • spark:compileClasspath
  • server:runtimeClasspath
  • cassandra:runtimeClasspath
  • druid:default
  • spark:runtimeClasspath
  • linq4j:runtimeClasspath
  • linq4j:default
  • druid:compileClasspath
  • plus:compileClasspath
  • linq4j:compileClasspath
  • pig:default
  • plus:runtimeClasspath
  • splunk:compileClasspath
  • function:default
  • file:compileClasspath
  • core:implementationDependenciesMetadata
  • kafka:runtimeClasspath
  • splunk:runtimeClasspath
  • file:runtimeClasspath
  • innodb:runtimeClasspath
  • elasticsearch:default
  • kafka:compileClasspath
  • druid:runtimeClasspath
  • mongodb:default
  • cassandra:default
  • babel:default
  • function:runtimeClasspath
  • redis:compileClasspath
  • redis:runtimeClasspath
  • core:default
  • function:compileClasspath
  • elasticsearch:compileClasspath
  • babel:runtimeClasspath
  • elasticsearch:runtimeClasspath
  • innodb:default
  • piglet:default
  • babel:compileClasspath
  • csv:default
  • innodb:compileClasspath
  • core:compileClasspath
  • calcite:sqllineClasspath
  • core:runtimeClasspath
  • geode:default
  • geode:compileClasspath
  • mongodb:runtimeClasspath
  • file:default
  • server:default
  • ubenchmark:jmhCompileClasspath
  • pig:runtimeClasspath
  • mongodb:compileClasspath
  • server:compileClasspath
  • redis:default
  • geode:runtimeClasspath
  • csv:compileClasspath
  • csv:runtimeClasspath
  • plus:default
  • pig:compileClasspath

Identifiers

asm-3.1.jar

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/asm/asm/3.1/c157def142714c544bdea2e6144645702adf7097/asm-3.1.jar
MD5: b9b8d2d556f9458aac8c463fd511f86d
SHA1: c157def142714c544bdea2e6144645702adf7097
SHA256:333ff5369043975b7e031b8b27206937441854738e038c1f47f98d072a20437a
Referenced In Projects/Scopes:

  • piglet:compileClasspath
  • piglet:runtimeClasspath
  • calcite:sqllineClasspath
  • piglet:default

Identifiers

asm-5.0.3.jar

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.ow2.asm/asm/5.0.3/dcc2193db20e19e1feca8b1240dbbc4e190824fa/asm-5.0.3.jar
MD5: ccebee99fb8cdd50e1967680a2eac0ba
SHA1: dcc2193db20e19e1feca8b1240dbbc4e190824fa
SHA256:71c4f78e437b8fdcd9cc0dfd2abea8c089eb677005a6a5cff320206cc52b46cc
Referenced In Project/Scope:ubenchmark:jmh

Identifiers

asm-7.2.jar

License:

BSD-3-Clause;link=https://asm.ow2.io/LICENSE.txt
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.ow2.asm/asm/7.2/fa637eb67eb7628c915d73762b681ae7ff0b9731/asm-7.2.jar
MD5: 26cf10dfd4729fd22fcae0694e041167
SHA1: fa637eb67eb7628c915d73762b681ae7ff0b9731
SHA256:7e6cc9e92eb94d04e39356c6d8144ca058cda961c344a7f62166a405f3206672
Referenced In Projects/Scopes:
  • cassandra:compileClasspath
  • babel:default
  • piglet:runtimeClasspath
  • spark:default
  • splunk:default
  • function:runtimeClasspath
  • kafka:default
  • redis:runtimeClasspath
  • server:runtimeClasspath
  • cassandra:runtimeClasspath
  • druid:default
  • spark:runtimeClasspath
  • core:default
  • babel:runtimeClasspath
  • elasticsearch:runtimeClasspath
  • innodb:default
  • piglet:default
  • pig:default
  • plus:runtimeClasspath
  • function:default
  • csv:default
  • core:implementationDependenciesMetadata
  • kafka:runtimeClasspath
  • splunk:runtimeClasspath
  • core:compileClasspath
  • file:runtimeClasspath
  • innodb:runtimeClasspath
  • calcite:sqllineClasspath
  • core:runtimeClasspath
  • geode:default
  • elasticsearch:default
  • druid:runtimeClasspath
  • mongodb:runtimeClasspath
  • file:default
  • server:default
  • ubenchmark:jmhCompileClasspath
  • pig:runtimeClasspath
  • mongodb:default
  • redis:default
  • geode:runtimeClasspath
  • csv:runtimeClasspath
  • plus:default
  • cassandra:default

Identifiers

asm-analysis-7.2.jar

License:

BSD-3-Clause;link=https://asm.ow2.io/LICENSE.txt
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.ow2.asm/asm-analysis/7.2/b6e6abe057f23630113f4167c34bda7086691258/asm-analysis-7.2.jar
MD5: e0aa4ec0cfa837415818aac762ed5dc2
SHA1: b6e6abe057f23630113f4167c34bda7086691258
SHA256:be922aae60ff1ff1768e8e6544a38a7f92bd0a6d6b0b9791f94955d1bd453de2
Referenced In Projects/Scopes:
  • cassandra:compileClasspath
  • calcite:sqllineClasspath
  • cassandra:runtimeClasspath
  • cassandra:default

Identifiers

asm-commons-7.2.jar

License:

BSD-3-Clause;link=https://asm.ow2.io/LICENSE.txt
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.ow2.asm/asm-commons/7.2/ca2954e8d92a05bacc28ff465b25c70e0f512497/asm-commons-7.2.jar
MD5: 321121317a6c6221cc26e8f9ee97022f
SHA1: ca2954e8d92a05bacc28ff465b25c70e0f512497
SHA256:0e86b8b179c5fb223d1a880a0ff4960b6978223984b94e62e71135f2d8ea3558
Referenced In Projects/Scopes:
  • cassandra:compileClasspath
  • calcite:sqllineClasspath
  • cassandra:runtimeClasspath
  • cassandra:default

Identifiers

asm-tree-7.2.jar

License:

BSD-3-Clause;link=https://asm.ow2.io/LICENSE.txt
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.ow2.asm/asm-tree/7.2/3a23cc36edaf8fc5a89cb100182758ccb5991487/asm-tree-7.2.jar
MD5: c7214695c379f25861500e576a1f8cea
SHA1: 3a23cc36edaf8fc5a89cb100182758ccb5991487
SHA256:c063f5a67fa03cdc9bd79fd1c2ea6816cc4a19473ecdfbd9e9153b408c6f2656
Referenced In Projects/Scopes:
  • cassandra:compileClasspath
  • calcite:sqllineClasspath
  • cassandra:runtimeClasspath
  • cassandra:default

Identifiers

asm-util-7.2.jar

License:

BSD-3-Clause;link=https://asm.ow2.io/LICENSE.txt
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.ow2.asm/asm-util/7.2/a3ae34e57fa8a4040e28247291d0cc3d6b8c7bcf/asm-util-7.2.jar
MD5: 0891d2562ab1db2a1d5fc013af9b40c5
SHA1: a3ae34e57fa8a4040e28247291d0cc3d6b8c7bcf
SHA256:6e24913b021ffacfe8e7e053d6e0ccc731941148cfa078d4f1ed3d96904530f8
Referenced In Projects/Scopes:
  • cassandra:compileClasspath
  • calcite:sqllineClasspath
  • cassandra:runtimeClasspath
  • cassandra:default

Identifiers

automaton-1.11-8.jar

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/dk.brics.automaton/automaton/1.11-8/6ebfa65eb431ff4b715a23be7a750cbc4cc96d0f/automaton-1.11-8.jar
MD5: 3467dcbbba2fe68a4e07a5826988e034
SHA1: 6ebfa65eb431ff4b715a23be7a750cbc4cc96d0f
SHA256:a24475f6ccfe1cc7a4fe9e34e05ce687b0ce0c6e8cb781e0eced3b186482c61e
Referenced In Projects/Scopes:

  • piglet:compileClasspath
  • piglet:runtimeClasspath
  • calcite:sqllineClasspath
  • pig:runtimeClasspath
  • piglet:default
  • pig:default
  • pig:compileClasspath

Identifiers

avatica-core-1.17.0.jar

License:

Apache-2.0
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.calcite.avatica/avatica-core/1.17.0/d69e7e0f02610af0f432e5241d7a202ab48bf3cb/avatica-core-1.17.0.jar
MD5: 17281ec720a334d55458c9ae6aeb0392
SHA1: d69e7e0f02610af0f432e5241d7a202ab48bf3cb
SHA256:0f6db960de59f23386792843fcd7e500007d2d8feab08cdead7a6bd07721c54d
Referenced In Projects/Scopes:
  • cassandra:compileClasspath
  • piglet:compileClasspath
  • piglet:runtimeClasspath
  • spark:default
  • splunk:default
  • kafka:default
  • spark:compileClasspath
  • server:runtimeClasspath
  • cassandra:runtimeClasspath
  • druid:default
  • spark:runtimeClasspath
  • linq4j:runtimeClasspath
  • linq4j:default
  • druid:compileClasspath
  • plus:compileClasspath
  • linq4j:compileClasspath
  • pig:default
  • plus:runtimeClasspath
  • splunk:compileClasspath
  • function:default
  • file:compileClasspath
  • core:implementationDependenciesMetadata
  • kafka:runtimeClasspath
  • splunk:runtimeClasspath
  • file:runtimeClasspath
  • innodb:runtimeClasspath
  • elasticsearch:default
  • kafka:compileClasspath
  • druid:runtimeClasspath
  • mongodb:default
  • cassandra:default
  • babel:default
  • function:runtimeClasspath
  • redis:compileClasspath
  • redis:runtimeClasspath
  • core:default
  • function:compileClasspath
  • elasticsearch:compileClasspath
  • babel:runtimeClasspath
  • elasticsearch:runtimeClasspath
  • innodb:default
  • piglet:default
  • babel:compileClasspath
  • csv:default
  • innodb:compileClasspath
  • core:compileClasspath
  • calcite:sqllineClasspath
  • core:runtimeClasspath
  • geode:default
  • geode:compileClasspath
  • mongodb:runtimeClasspath
  • file:default
  • server:default
  • ubenchmark:jmhCompileClasspath
  • pig:runtimeClasspath
  • mongodb:compileClasspath
  • server:compileClasspath
  • redis:default
  • geode:runtimeClasspath
  • csv:compileClasspath
  • csv:runtimeClasspath
  • plus:default
  • pig:compileClasspath

Identifiers

CVE-2020-13955  

HttpUtils#getURLConnection method disables explicitly hostname verification for HTTPS connections making clients vulnerable to man-in-the-middle attacks. Calcite uses internally this method to connect with Druid and Splunk so information leakage may happen when using the respective Calcite adapters. The method itself is in a utility class so people may use it to create vulnerable HTTPS connections for other applications. From Apache Calcite 1.26 onwards, the hostname verification will be performed using the default JVM truststore.
CWE-306 Missing Authentication for Critical Function

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.9)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions:

avatica-metrics-1.17.0.jar

License:

Apache-2.0
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.calcite.avatica/avatica-metrics/1.17.0/c1c778095d3069504b17155c468169075c646e75/avatica-metrics-1.17.0.jar
MD5: f4c86c13e6b466e90b177fbc29328d58
SHA1: c1c778095d3069504b17155c468169075c646e75
SHA256:a3b5df76c52fa0cd93e17d6bccc149652c32163b97da995a8ec8c8690421a604
Referenced In Projects/Scopes:
  • cassandra:compileClasspath
  • piglet:compileClasspath
  • piglet:runtimeClasspath
  • spark:default
  • splunk:default
  • kafka:default
  • spark:compileClasspath
  • server:runtimeClasspath
  • cassandra:runtimeClasspath
  • druid:default
  • spark:runtimeClasspath
  • linq4j:runtimeClasspath
  • linq4j:default
  • druid:compileClasspath
  • plus:compileClasspath
  • linq4j:compileClasspath
  • pig:default
  • plus:runtimeClasspath
  • splunk:compileClasspath
  • function:default
  • file:compileClasspath
  • core:implementationDependenciesMetadata
  • kafka:runtimeClasspath
  • splunk:runtimeClasspath
  • file:runtimeClasspath
  • innodb:runtimeClasspath
  • elasticsearch:default
  • kafka:compileClasspath
  • druid:runtimeClasspath
  • mongodb:default
  • cassandra:default
  • babel:default
  • function:runtimeClasspath
  • redis:compileClasspath
  • redis:runtimeClasspath
  • core:default
  • function:compileClasspath
  • elasticsearch:compileClasspath
  • babel:runtimeClasspath
  • elasticsearch:runtimeClasspath
  • innodb:default
  • piglet:default
  • babel:compileClasspath
  • csv:default
  • innodb:compileClasspath
  • core:compileClasspath
  • calcite:sqllineClasspath
  • core:runtimeClasspath
  • geode:default
  • geode:compileClasspath
  • mongodb:runtimeClasspath
  • file:default
  • server:default
  • ubenchmark:jmhCompileClasspath
  • pig:runtimeClasspath
  • mongodb:compileClasspath
  • server:compileClasspath
  • redis:default
  • geode:runtimeClasspath
  • csv:compileClasspath
  • csv:runtimeClasspath
  • plus:default
  • pig:compileClasspath

Identifiers

CVE-2020-13955  

HttpUtils#getURLConnection method disables explicitly hostname verification for HTTPS connections making clients vulnerable to man-in-the-middle attacks. Calcite uses internally this method to connect with Druid and Splunk so information leakage may happen when using the respective Calcite adapters. The method itself is in a utility class so people may use it to create vulnerable HTTPS connections for other applications. From Apache Calcite 1.26 onwards, the hostname verification will be performed using the default JVM truststore.
CWE-306 Missing Authentication for Critical Function

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.9)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions:

avatica-server-1.17.0.jar

License:

Apache-2.0
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.calcite.avatica/avatica-server/1.17.0/cadc51ec46ac0586c94ec1740f1dcb200ef244ac/avatica-server-1.17.0.jar
MD5: 13029dd895bcd99343341131ff89bc97
SHA1: cadc51ec46ac0586c94ec1740f1dcb200ef244ac
SHA256:e6abe198723084664c027a018843e0fe18203eeb03a920b07b22aea739366806
Referenced In Projects/Scopes:
  • calcite:sqllineClasspath
  • plus:compileClasspath
  • plus:default
  • plus:runtimeClasspath

Identifiers

CVE-2020-13955  

HttpUtils#getURLConnection method disables explicitly hostname verification for HTTPS connections making clients vulnerable to man-in-the-middle attacks. Calcite uses internally this method to connect with Druid and Splunk so information leakage may happen when using the respective Calcite adapters. The method itself is in a utility class so people may use it to create vulnerable HTTPS connections for other applications. From Apache Calcite 1.26 onwards, the hostname verification will be performed using the default JVM truststore.
CWE-306 Missing Authentication for Critical Function

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.9)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions:

avro-1.7.4.jar

Description:

Avro core components

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.avro/avro/1.7.4/416e7030879814f52845b97f04bb50ecd1cef372/avro-1.7.4.jar
MD5: de02dfb1f5880c0b422f215ffcaa3379
SHA1: 416e7030879814f52845b97f04bb50ecd1cef372
SHA256:a01d26e9a5ed0754e8c88dbb373fba896c57df0a0c424185767a3857855bb222
Referenced In Projects/Scopes:

  • piglet:compileClasspath
  • piglet:runtimeClasspath
  • pig:runtimeClasspath
  • piglet:default
  • pig:default
  • pig:compileClasspath

Identifiers

avro-1.7.7.jar

Description:

Avro core components

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.avro/avro/1.7.7/3548c0bc136e71006f3fc34e22d34a29e5069e50/avro-1.7.7.jar
MD5: e910e3a3bad0181b1e2e55856cf3ce83
SHA1: 3548c0bc136e71006f3fc34e22d34a29e5069e50
SHA256:5ba0a81f4b0769122b6045b98bb9bbba5f2c69dbf736a6cc7ca4eb603c337487
Referenced In Projects/Scopes:
  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • spark:runtimeClasspath

Identifiers

avro-ipc-1.7.7-tests.jar

Description:

Avro inter-process communication components

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.avro/avro-ipc/1.7.7/1ef0eeefcd80710085a95172819c78cf2cb7f13d/avro-ipc-1.7.7-tests.jar
MD5: f09bac463cf1bdfb5eacbcf77f0e71f5
SHA1: 1ef0eeefcd80710085a95172819c78cf2cb7f13d
SHA256:496c8137f1bc2e2fcaef8c42e4fe7aec02975d34487d413f7ad8cb8857626ddc
Referenced In Projects/Scopes:

  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • spark:runtimeClasspath

Identifiers

avro-ipc-1.7.7.jar

Description:

Avro inter-process communication components

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.avro/avro-ipc/1.7.7/b754e613b8fbd8c81fb6fb250e658f6c16efbffa/avro-ipc-1.7.7.jar
MD5: fce7b2ae71c6a5dc996340b6cfa060f4
SHA1: b754e613b8fbd8c81fb6fb250e658f6c16efbffa
SHA256:55d369313d9947a8f3250837526bdb90b7608101b4acc881c32f35fc16cc21e2
Referenced In Projects/Scopes:
  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • spark:runtimeClasspath

Identifiers

avro-mapred-1.7.7-hadoop2.jar

Description:

An org.apache.hadoop.mapred compatible API for using Avro Serializatin in Hadoop

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.avro/avro-mapred/1.7.7/d8f23aff4a3c827c6a35009c8182872bfc0e52f5/avro-mapred-1.7.7-hadoop2.jar
MD5: 5c40924393b4a7e87a98c722cd1f0606
SHA1: d8f23aff4a3c827c6a35009c8182872bfc0e52f5
SHA256:c79cf519f4ee3d278b9cdf0b3814d686a911d1bc37c1626bc2bcb4bd279f4895
Referenced In Projects/Scopes:

  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • spark:runtimeClasspath

Identifiers

backport-util-concurrent-3.1.jar

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/backport-util-concurrent/backport-util-concurrent/3.1/682f7ac17fed79e92f8e87d8455192b63376347b/backport-util-concurrent-3.1.jar
MD5: 748bb0cbf4780b2e3121dc9c12e10cd9
SHA1: 682f7ac17fed79e92f8e87d8455192b63376347b
SHA256:f5759b7fcdfc83a525a036deedcbd32e5b536b625ebc282426f16ca137eb5902
Referenced In Projects/Scopes:

  • file:compileClasspath
  • file:runtimeClasspath
  • calcite:sqllineClasspath
  • csv:runtimeClasspath
  • file:default
  • csv:default

Identifiers

base64-2.3.8.jar

Description:

A Java class providing very fast Base64 encoding and decoding 
               in the form of convenience methods and input/output streams.
  

License:

Public domain
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/net.iharder/base64/2.3.8/7d2e2cea90cc51169fd02a35888820ab07f6d02f/base64-2.3.8.jar
MD5: 9a9828f0caa016a2f3e0c90fe3af771b
SHA1: 7d2e2cea90cc51169fd02a35888820ab07f6d02f
SHA256:bbf41fda22877a538f6bc2d5ad0aa372a7ddf4a756af3386aa09d3d4eea84f7f
Referenced In Projects/Scopes:
  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • spark:runtimeClasspath

Identifiers

bcprov-jdk15on-1.60.jar

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.bouncycastle/bcprov-jdk15on/1.60/bd47ad3bd14b8e82595c7adaa143501e60842a84/bcprov-jdk15on-1.60.jar
MD5: 435ff931af9ed4430d2a27456b0386b2
SHA1: bd47ad3bd14b8e82595c7adaa143501e60842a84
SHA256:7f1a0e6badab38666f8467a9a0ee96656b2f8ec8623867ed34f3cdc173b7ee07
Referenced In Projects/Scopes:

  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • spark:runtimeClasspath

Identifiers

CVE-2020-26939  

In Legion of the Bouncy Castle BC before 1.61 and BC-FJA before 1.0.1.2, attackers can obtain sensitive information about a private exponent because of Observable Differences in Behavior to Error Inputs. This occurs in org.bouncycastle.crypto.encodings.OAEPEncoding. Sending invalid ciphertext that decrypts to a short payload in the OAEP Decoder could result in the throwing of an early exception, potentially leaking some information about the private exponent of the RSA private key performing the encryption.
CWE-203 Information Exposure Through Discrepancy

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

bsh-2.0b4.jar

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.beanshell/bsh/2.0b4/a05f0a0feefa8d8467ac80e16e7de071489f0d9c/bsh-2.0b4.jar
MD5: a1c60aa83c9c9a6cb2391c1c1b85eb00
SHA1: a05f0a0feefa8d8467ac80e16e7de071489f0d9c
SHA256:91395c07885839a8c6986d5b7c577cd9bacf01bf129c89141f35e8ea858427b6
Referenced In Projects/Scopes:

  • babel:fmppClaspath
  • server:fmppClaspath
  • core:fmppClaspath

Identifiers

CVE-2016-2510 (OSSINDEX)  

BeanShell (bsh) before 2.0b6, when included on the classpath by an application that uses Java serialization or XStream, allows remote attackers to execute arbitrary code via crafted serialized data, related to XThis.Handler.
CVSSv3:
  • Base Score: HIGH (8.1)
  • Vector: CVSS:/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.beanshell:bsh:2.0b4:*:*:*:*:*:*:*

calcite-babel-1.27.0-SNAPSHOT.jar

License:

Apache-2.0
File Path: /home/stamatis/Projects/Apache/calcite/babel/build/libs/calcite-babel-1.27.0-SNAPSHOT.jar
MD5: a9c341167f2354704526f7987bba6d34
SHA1: 09eb40e5a183380b94e49e1a3f294355b9564c0a
SHA256:932ff895f250523e953066d8e3cb85ca1660cf9723fd979fd1e0f005a9e59c82
Referenced In Project/Scope:calcite:sqllineClasspath

Identifiers

calcite-cassandra-1.27.0-SNAPSHOT.jar

License:

Apache-2.0
File Path: /home/stamatis/Projects/Apache/calcite/cassandra/build/libs/calcite-cassandra-1.27.0-SNAPSHOT.jar
MD5: b36e40d094e656cb7c3649c9a02f07b5
SHA1: c460538001594b98010c30c98c37e0c3927060a8
SHA256:c9b5d5b8016f4413f408227820b3c9fdee90c39e2c321748af3d270d02c101ac
Referenced In Project/Scope:calcite:sqllineClasspath

Identifiers

CVE-2020-13946  

In Apache Cassandra, all versions prior to 2.1.22, 2.2.18, 3.0.22, 3.11.8 and 4.0-beta2, it is possible for a local attacker without access to the Apache Cassandra process or configuration files to manipulate the RMI registry to perform a man-in-the-middle attack and capture user names and passwords used to access the JMX interface. The attacker can then use these credentials to access the JMX interface and perform unauthorised operations. Users should also be aware of CVE-2019-2684, a JRE vulnerability that enables this issue to be exploited remotely.
CWE-668 Exposure of Resource to Wrong Sphere

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.9)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

calcite-core-1.27.0-SNAPSHOT.jar

License:

Apache-2.0
File Path: /home/stamatis/Projects/Apache/calcite/core/build/libs/calcite-core-1.27.0-SNAPSHOT.jar
MD5: 113305aa8972a4784033ecdabf53d99a
SHA1: b42f1fd1172d35f3f621188d072f09e72808ba4b
SHA256:1efd29979e82c28a7c47feaa1608f2c9736b85e6b45c826df95b0313151f8182
Referenced In Projects/Scopes:
  • cassandra:compileClasspath
  • piglet:compileClasspath
  • piglet:runtimeClasspath
  • spark:default
  • splunk:default
  • kafka:default
  • spark:compileClasspath
  • server:runtimeClasspath
  • cassandra:runtimeClasspath
  • druid:default
  • spark:runtimeClasspath
  • druid:compileClasspath
  • plus:compileClasspath
  • pig:default
  • plus:runtimeClasspath
  • splunk:compileClasspath
  • function:default
  • file:compileClasspath
  • kafka:runtimeClasspath
  • splunk:runtimeClasspath
  • file:runtimeClasspath
  • innodb:runtimeClasspath
  • elasticsearch:default
  • kafka:compileClasspath
  • druid:runtimeClasspath
  • mongodb:default
  • cassandra:default
  • babel:default
  • function:runtimeClasspath
  • redis:compileClasspath
  • redis:runtimeClasspath
  • function:compileClasspath
  • elasticsearch:compileClasspath
  • babel:runtimeClasspath
  • elasticsearch:runtimeClasspath
  • innodb:default
  • piglet:default
  • babel:compileClasspath
  • csv:default
  • innodb:compileClasspath
  • calcite:sqllineClasspath
  • geode:default
  • geode:compileClasspath
  • mongodb:runtimeClasspath
  • file:default
  • server:default
  • ubenchmark:jmhCompileClasspath
  • pig:runtimeClasspath
  • mongodb:compileClasspath
  • server:compileClasspath
  • redis:default
  • geode:runtimeClasspath
  • csv:compileClasspath
  • csv:runtimeClasspath
  • plus:default
  • pig:compileClasspath

Identifiers

calcite-druid-1.27.0-SNAPSHOT.jar

License:

Apache-2.0
File Path: /home/stamatis/Projects/Apache/calcite/druid/build/libs/calcite-druid-1.27.0-SNAPSHOT.jar
MD5: 50e9ab2e98945f64614bbe95aba3e59b
SHA1: c2bfca773697bccb2d4d218a9d0167db4cda50df
SHA256:cd7ce3c9be4d1dd1191f9128c43e90b84e603fcf18f2f04acc3019d2fd1b035e
Referenced In Project/Scope:calcite:sqllineClasspath

Identifiers

calcite-elasticsearch-1.27.0-SNAPSHOT.jar

License:

Apache-2.0
File Path: /home/stamatis/Projects/Apache/calcite/elasticsearch/build/libs/calcite-elasticsearch-1.27.0-SNAPSHOT.jar
MD5: 5f6062973305bf8ab81b0403f97dae2d
SHA1: 82e40b5d2f09793f208b386c918892006c16aa41
SHA256:92776d571b7f9fcd7d80430cef5921a9c5101a26b3d26d8d7b3feaa6f80c5cc5
Referenced In Project/Scope:calcite:sqllineClasspath

Identifiers

calcite-file-1.27.0-SNAPSHOT.jar

License:

Apache-2.0
File Path: /home/stamatis/Projects/Apache/calcite/file/build/libs/calcite-file-1.27.0-SNAPSHOT.jar
MD5: fe8d14acc055d09b182edce74c8f8e40
SHA1: 56c4aa1bf21d2d3a66a41a185dca6949196f313e
SHA256:5c9deb00ad74de1354ae9cb4907caeafc06d657e5dc71030ea99016e8172ca72
Referenced In Projects/Scopes:
  • calcite:sqllineClasspath
  • csv:compileClasspath
  • csv:runtimeClasspath
  • csv:default

Identifiers

calcite-geode-1.27.0-SNAPSHOT.jar

License:

Apache-2.0
File Path: /home/stamatis/Projects/Apache/calcite/geode/build/libs/calcite-geode-1.27.0-SNAPSHOT.jar
MD5: 313b474a73934bb2b22772a486cc992f
SHA1: 0fc1f5ba657c551b40ff56991da9b34523e70392
SHA256:3560d728f77b4d7e14a8922b439e60d6fbab5d092bf537d65d1ab7321db23d11
Referenced In Project/Scope:calcite:sqllineClasspath

Identifiers

calcite-innodb-1.27.0-SNAPSHOT.jar

License:

Apache-2.0
File Path: /home/stamatis/Projects/Apache/calcite/innodb/build/libs/calcite-innodb-1.27.0-SNAPSHOT.jar
MD5: 6c06f60d001f44314cd9deff5976d6d1
SHA1: 5a926c9a7b2f960faf2dcb4e3f7eb6445d4847eb
SHA256:ca7fc8c9577e7b8e67ef6b51153a6289ec58e34a40a55008c26948e031d3c23f
Referenced In Project/Scope:calcite:sqllineClasspath

Identifiers

calcite-kafka-1.27.0-SNAPSHOT.jar

License:

Apache-2.0
File Path: /home/stamatis/Projects/Apache/calcite/kafka/build/libs/calcite-kafka-1.27.0-SNAPSHOT.jar
MD5: 69bf6a9c2640cf31d0571982ecc88168
SHA1: ac01b0805affe004de6c64848126396a881a41a2
SHA256:5f1755af035ab95442183b07be47b11d67112fbe21d3f556c0df973897ae5f67
Referenced In Project/Scope:calcite:sqllineClasspath

Identifiers

CVE-2018-17196  

In Apache Kafka versions between 0.11.0.0 and 2.1.0, it is possible to manually craft a Produce request which bypasses transaction/idempotent ACL validation. Only authenticated clients with Write permission on the respective topics are able to exploit this vulnerability. Users should upgrade to 2.1.1 or later where this vulnerability has been fixed.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: MEDIUM (6.5)
  • Vector: /AV:N/AC:L/Au:S/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (8.8)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions:

calcite-linq4j-1.27.0-SNAPSHOT.jar

License:

Apache-2.0
File Path: /home/stamatis/Projects/Apache/calcite/linq4j/build/libs/calcite-linq4j-1.27.0-SNAPSHOT.jar
MD5: aa77dd1c0e1d978193fba2a87aa7eeae
SHA1: a421394fda595e436505d75fae6587749766af87
SHA256:424c734be61cfadc2489f73831d6ec4bd49fed75325e33c6fc438e88f2bf3739
Referenced In Projects/Scopes:
  • cassandra:compileClasspath
  • piglet:compileClasspath
  • piglet:runtimeClasspath
  • spark:default
  • splunk:default
  • kafka:default
  • spark:compileClasspath
  • server:runtimeClasspath
  • cassandra:runtimeClasspath
  • druid:default
  • spark:runtimeClasspath
  • druid:compileClasspath
  • plus:compileClasspath
  • pig:default
  • plus:runtimeClasspath
  • splunk:compileClasspath
  • function:default
  • file:compileClasspath
  • core:implementationDependenciesMetadata
  • kafka:runtimeClasspath
  • splunk:runtimeClasspath
  • file:runtimeClasspath
  • innodb:runtimeClasspath
  • elasticsearch:default
  • kafka:compileClasspath
  • druid:runtimeClasspath
  • mongodb:default
  • cassandra:default
  • babel:default
  • function:runtimeClasspath
  • redis:compileClasspath
  • redis:runtimeClasspath
  • core:default
  • function:compileClasspath
  • elasticsearch:compileClasspath
  • babel:runtimeClasspath
  • elasticsearch:runtimeClasspath
  • innodb:default
  • piglet:default
  • babel:compileClasspath
  • csv:default
  • innodb:compileClasspath
  • core:compileClasspath
  • calcite:sqllineClasspath
  • core:apiDependenciesMetadata
  • core:runtimeClasspath
  • geode:default
  • geode:compileClasspath
  • mongodb:runtimeClasspath
  • file:default
  • server:default
  • ubenchmark:jmhCompileClasspath
  • pig:runtimeClasspath
  • mongodb:compileClasspath
  • server:compileClasspath
  • redis:default
  • geode:runtimeClasspath
  • csv:compileClasspath
  • csv:runtimeClasspath
  • plus:default
  • pig:compileClasspath

Identifiers

calcite-mongodb-1.27.0-SNAPSHOT.jar

License:

Apache-2.0
File Path: /home/stamatis/Projects/Apache/calcite/mongodb/build/libs/calcite-mongodb-1.27.0-SNAPSHOT.jar
MD5: 0b0a19fae6aee1434f001558a5a46a70
SHA1: 2e6ad4dbc9d0d3c13250f00d540ab54da1bc2eb5
SHA256:4205da6f1cd594e7dc812d2fa01489bf13d138c6fda01b76e48d5c1444141f12
Referenced In Project/Scope:calcite:sqllineClasspath

Identifiers

calcite-pig-1.27.0-SNAPSHOT.jar

License:

Apache-2.0
File Path: /home/stamatis/Projects/Apache/calcite/pig/build/libs/calcite-pig-1.27.0-SNAPSHOT.jar
MD5: fd504909c550767df47ceb0b669a4315
SHA1: a32dce7b43a96b83330025fbba23ad006f31db86
SHA256:b48b69c8a81de35590e10d92039950d908b2eae5f6a4baf652a54fa5741165ff
Referenced In Project/Scope:calcite:sqllineClasspath

Identifiers

calcite-piglet-1.27.0-SNAPSHOT.jar

License:

Apache-2.0
File Path: /home/stamatis/Projects/Apache/calcite/piglet/build/libs/calcite-piglet-1.27.0-SNAPSHOT.jar
MD5: 59e48d95495dab0d1fa5b8401d84e09f
SHA1: 7a3ea426927ba73c5fba70dd66130cdd53032b80
SHA256:e31b238ba3ce5156c2261f66d98df92cfcd3024fbbef125682cf6c258c19ef77
Referenced In Project/Scope:calcite:sqllineClasspath

Identifiers

calcite-plus-1.27.0-SNAPSHOT.jar

License:

Apache-2.0
File Path: /home/stamatis/Projects/Apache/calcite/plus/build/libs/calcite-plus-1.27.0-SNAPSHOT.jar
MD5: ebfd19702a51b962cbdf860088dc8a3c
SHA1: e14e9444c9a09410530c3a018ada530a997ff152
SHA256:5f6785a80e7ceec0b9e37b7b97827db92ace4d2b62ff5a75c9af4410fadcbb70
Referenced In Project/Scope:calcite:sqllineClasspath

Identifiers

calcite-redis-1.27.0-SNAPSHOT.jar

License:

Apache-2.0
File Path: /home/stamatis/Projects/Apache/calcite/redis/build/libs/calcite-redis-1.27.0-SNAPSHOT.jar
MD5: 178187a9f3814e90db417b02ec9eaf6d
SHA1: 24d53daa938f5da71826b2d944d136c49d0d400b
SHA256:5ba3978fc3c8406fb4866711d2df410d702f7c2461839b6b5cb41106384b22b2
Referenced In Project/Scope:calcite:sqllineClasspath

Identifiers

calcite-spark-1.27.0-SNAPSHOT.jar

License:

Apache-2.0
File Path: /home/stamatis/Projects/Apache/calcite/spark/build/libs/calcite-spark-1.27.0-SNAPSHOT.jar
MD5: 75d3c36f4efc32f38fd99f0e4b189733
SHA1: deea01c29c234241350fad9ad51f21850544d5db
SHA256:cff097e1b48e58fe9db65a4d3ede842dceadf981dfc809baff5016018b1ea043
Referenced In Project/Scope:calcite:sqllineClasspath

Identifiers

CVE-2017-7678  

In Apache Spark before 2.2.0, it is possible for an attacker to take advantage of a user's trust in the server to trick them into visiting a link that points to a shared Spark cluster and submits data including MHTML to the Spark master, or history server. This data, which could contain a script, would then be reflected back to the user and could be evaluated and executed by MS Windows-based clients. It is not an attack on Spark itself, but on the user, who may then execute the script inadvertently when viewing elements of the Spark web UIs.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions:

CVE-2018-11770  

From version 1.3.0 onward, Apache Spark's standalone master exposes a REST API for job submission, in addition to the submission mechanism used by spark-submit. In standalone, the config property 'spark.authenticate.secret' establishes a shared secret for authenticating requests to submit jobs via spark-submit. However, the REST API does not use this or any other authentication mechanism, and this is not adequately documented. In this case, a user would be able to run a driver program without authenticating, but not launch executors, using the REST API. This REST API is also used by Mesos, when set up to run in cluster mode (i.e., when also running MesosClusterDispatcher), for job submission. Future versions of Spark will improve documentation on these points, and prohibit setting 'spark.authenticate.secret' when running the REST APIs, to make this clear. Future versions will also disable the REST API by default in the standalone master by changing the default value of 'spark.master.rest.enabled' to 'false'.
CWE-287 Improper Authentication

CVSSv2:
  • Base Score: MEDIUM (4.9)
  • Vector: /AV:N/AC:M/Au:S/C:P/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (4.2)
  • Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N

References:

Vulnerable Software & Versions:

CVE-2018-11804  

Spark's Apache Maven-based build includes a convenience script, 'build/mvn', that downloads and runs a zinc server to speed up compilation. It has been included in release branches since 1.3.x, up to and including master. This server will accept connections from external hosts by default. A specially-crafted request to the zinc server could cause it to reveal information in files readable to the developer account running the build. Note that this issue does not affect end users of Spark, only developers building Spark from source code.
CWE-20 Improper Input Validation

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions:

CVE-2018-1334  

In Apache Spark 1.0.0 to 2.1.2, 2.2.0 to 2.2.1, and 2.3.0, when using PySpark or SparkR, it's possible for a different local user to connect to the Spark application and impersonate the user running the Spark application.
CWE-200 Information Exposure

CVSSv2:
  • Base Score: LOW (1.9)
  • Vector: /AV:L/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (4.7)
  • Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2018-17190  

In all versions of Apache Spark, its standalone resource manager accepts code to execute on a 'master' host, that then runs that code on 'worker' hosts. The master itself does not, by design, execute user code. A specially-crafted request to the master can, however, cause the master to execute code too. Note that this does not affect standalone clusters with authentication enabled. While the master host typically has less outbound access to other resources than a worker, the execution of code on the master is nevertheless unexpected.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions:

CVE-2020-9480  

In Apache Spark 2.4.5 and earlier, a standalone resource manager's master may be configured to require authentication (spark.authenticate) via a shared secret. When enabled, however, a specially-crafted RPC to the master can succeed in starting an application's resources on the Spark cluster, even without the shared key. This can be leveraged to execute shell commands on the host machine. This does not affect Spark clusters using other resource managers (YARN, Mesos, etc).
CWE-287 Improper Authentication

CVSSv2:
  • Base Score: HIGH (9.3)
  • Vector: /AV:N/AC:M/Au:N/C:C/I:C/A:C
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions:

calcite-splunk-1.27.0-SNAPSHOT.jar

License:

Apache-2.0
File Path: /home/stamatis/Projects/Apache/calcite/splunk/build/libs/calcite-splunk-1.27.0-SNAPSHOT.jar
MD5: ce109a023797fbb7c173318ad21f07de
SHA1: 0a0d5ce7cbc8621af9bc544a53a3ce7394d50dd2
SHA256:1ce916d144d379ddb658e528972aedea96b5bb1411ac85059cc12d848d0f085a
Referenced In Project/Scope:calcite:sqllineClasspath

Identifiers

cassandra-driver-core-3.6.0.jar

Description:

        A driver for Apache Cassandra 1.2+ that works exclusively with the Cassandra Query Language version 3
        (CQL3) and Cassandra's binary protocol.
    

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/com.datastax.cassandra/cassandra-driver-core/3.6.0/1d689ae757862f7c497dd6b186793d1bf921fd28/cassandra-driver-core-3.6.0.jar
MD5: 9df692b40e6988a343416faadfa44447
SHA1: 1d689ae757862f7c497dd6b186793d1bf921fd28
SHA256:98c47402b32e2dd78b2b2f4346087d0548f467f81f5be418ffdb229767a22a17
Referenced In Projects/Scopes:
  • cassandra:compileClasspath
  • calcite:sqllineClasspath
  • cassandra:runtimeClasspath
  • cassandra:default

Identifiers

cglib-2.2.1-v20090111.jar

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.sonatype.sisu.inject/cglib/2.2.1-v20090111/7ce5e983fd0e6c78346f4c9cbfa39d83049dda2/cglib-2.2.1-v20090111.jar
MD5: 88af5931165ac8becab84a157c9bace0
SHA1: 07ce5e983fd0e6c78346f4c9cbfa39d83049dda2
SHA256:42e1dfb26becbf1a633f25b47e39fcc422b85e77e4c0468d9a44f885f5fa0be2
Referenced In Projects/Scopes:

  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • spark:runtimeClasspath

Identifiers

checker-qual-2.8.1.jar

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.checkerframework/checker-qual/2.8.1/eb2e8ab75598548cc8acf9a1ca227e480e01881e/checker-qual-2.8.1.jar
MD5: e1c060246b024c4f260c6904e55a62a3
SHA1: eb2e8ab75598548cc8acf9a1ca227e480e01881e
SHA256:9103499008bcecd4e948da29b17864abb64304e15706444ae209d17ebe0575df
Referenced In Projects/Scopes:

  • splunk:checkstyle
  • cassandra:checkstyle
  • piglet:checkstyle
  • calcite:checkstyle
  • bom:checkstyle
  • function:checkstyle
  • spark:checkstyle
  • plus:checkstyle
  • pig:checkstyle
  • druid:checkstyle
  • csv:checkstyle
  • core:checkstyle
  • server:checkstyle
  • file:checkstyle
  • geode:checkstyle
  • mongodb:checkstyle
  • elasticsearch:checkstyle
  • release:checkstyle
  • kafka:checkstyle
  • ubenchmark:checkstyle
  • linq4j:checkstyle
  • redis:checkstyle
  • babel:checkstyle
  • example:checkstyle
  • innodb:checkstyle

Identifiers

checker-qual-3.10.0.jar

License:

MIT
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.checkerframework/checker-qual/3.10.0/710fd6abff4b26b40dc0917050dc4c67efcf60b6/checker-qual-3.10.0.jar
MD5: d7e964cf19235ee401c48383306aec86
SHA1: 710fd6abff4b26b40dc0917050dc4c67efcf60b6
SHA256:a4dc882ca6aac496d33381e5e5eb0604c45483b004bc3eac9368f1bb17cb2512
Referenced In Projects/Scopes:
  • cassandra:compileClasspath
  • piglet:compileClasspath
  • piglet:runtimeClasspath
  • spark:default
  • splunk:default
  • kafka:default
  • spark:compileClasspath
  • server:runtimeClasspath
  • cassandra:runtimeClasspath
  • druid:default
  • spark:runtimeClasspath
  • linq4j:runtimeClasspath
  • linq4j:default
  • druid:compileClasspath
  • plus:compileClasspath
  • linq4j:compileClasspath
  • pig:default
  • plus:runtimeClasspath
  • splunk:compileClasspath
  • function:default
  • file:compileClasspath
  • core:implementationDependenciesMetadata
  • kafka:runtimeClasspath
  • splunk:runtimeClasspath
  • file:runtimeClasspath
  • innodb:runtimeClasspath
  • elasticsearch:default
  • kafka:compileClasspath
  • druid:runtimeClasspath
  • mongodb:default
  • cassandra:default
  • babel:default
  • function:runtimeClasspath
  • redis:compileClasspath
  • redis:runtimeClasspath
  • core:default
  • function:compileClasspath
  • elasticsearch:compileClasspath
  • babel:runtimeClasspath
  • elasticsearch:runtimeClasspath
  • innodb:default
  • piglet:default
  • babel:compileClasspath
  • csv:default
  • innodb:compileClasspath
  • core:compileClasspath
  • calcite:sqllineClasspath
  • core:runtimeClasspath
  • geode:default
  • geode:compileClasspath
  • mongodb:runtimeClasspath
  • file:default
  • server:default
  • ubenchmark:jmhCompileClasspath
  • pig:runtimeClasspath
  • mongodb:compileClasspath
  • server:compileClasspath
  • redis:default
  • geode:runtimeClasspath
  • csv:compileClasspath
  • csv:runtimeClasspath
  • plus:default
  • pig:compileClasspath

Identifiers

checkstyle-8.28.jar

Description:

    Checkstyle is a development tool to help programmers write Java code
    that adheres to a coding standard
  

License:

LGPL-2.1+: http://www.gnu.org/licenses/old-licenses/lgpl-2.1.txt
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/com.puppycrawl.tools/checkstyle/8.28/f3c2dbcd412b6963dad8a10f441ca2c2d80e5141/checkstyle-8.28.jar
MD5: 1daec82b7364d09cee02c033a16cd651
SHA1: f3c2dbcd412b6963dad8a10f441ca2c2d80e5141
SHA256:aa79665b6dccd2a76f76599bd61b28f8daf2ff60afdba9adc130c7134b86ec33
Referenced In Projects/Scopes:
  • splunk:checkstyle
  • cassandra:checkstyle
  • piglet:checkstyle
  • calcite:checkstyle
  • bom:checkstyle
  • function:checkstyle
  • spark:checkstyle
  • plus:checkstyle
  • pig:checkstyle
  • druid:checkstyle
  • csv:checkstyle
  • core:checkstyle
  • server:checkstyle
  • file:checkstyle
  • geode:checkstyle
  • mongodb:checkstyle
  • elasticsearch:checkstyle
  • release:checkstyle
  • kafka:checkstyle
  • ubenchmark:checkstyle
  • linq4j:checkstyle
  • redis:checkstyle
  • babel:checkstyle
  • example:checkstyle
  • innodb:checkstyle

Identifiers

CVE-2019-10782  

All versions of com.puppycrawl.tools:checkstyle before 8.29 are vulnerable to XML External Entity (XXE) Injection due to an incomplete fix for CVE-2019-9658.
CWE-611 Improper Restriction of XML External Entity Reference ('XXE')

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions:

chill-java-0.8.0.jar

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/com.twitter/chill-java/0.8.0/7ab1c85ae80f25c6e6d4aab720ff9394a5ac4d5d/chill-java-0.8.0.jar
MD5: bdcfcfdbe1d37933f199bae56864b7d3
SHA1: 7ab1c85ae80f25c6e6d4aab720ff9394a5ac4d5d
SHA256:35437ca2491823b74df3f9e98b2534a7fc853c562bf0969db12e21372a4f5e59
Referenced In Projects/Scopes:

  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • spark:runtimeClasspath

Identifiers

chill_2.10-0.8.0.jar

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/com.twitter/chill_2.10/0.8.0/3646b3c6dec9e13d1bde44e7a5ba95f7198dfca8/chill_2.10-0.8.0.jar
MD5: 0d7eeabeac168edb9c2ce6aa00d063c1
SHA1: 3646b3c6dec9e13d1bde44e7a5ba95f7198dfca8
SHA256:766dffe1c5dee37ace70484e59b4f1841265355f8ef3af93e2febc8a77b8cb7c
Referenced In Projects/Scopes:

  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • spark:runtimeClasspath

Identifiers

chinook-data-hsqldb-0.1.jar

Description:

Chinook data set in hsqldb format

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/net.hydromatic/chinook-data-hsqldb/0.1/b53eb2e341198bb65ab4b28c415a872281802055/chinook-data-hsqldb-0.1.jar
MD5: a1f946559b62d4a2ca0df1fbcc1b0f5e
SHA1: b53eb2e341198bb65ab4b28c415a872281802055
SHA256:01e410d531007d24dbd0ce135a11a734052c855e453da474ee12dd10b7999018
Referenced In Projects/Scopes:
  • calcite:sqllineClasspath
  • plus:compileClasspath
  • plus:default
  • plus:runtimeClasspath

Identifiers

classgraph-4.0.6.jar

Description:

	Uber-fast, ultra-lightweight Java classpath and module path scanner (formerly named FastClasspathScanner). https://github.com/classgraph/classgraph
	

License:

The MIT License (MIT): http://opensource.org/licenses/MIT
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/io.github.classgraph/classgraph/4.0.6/7fe1e7464ffd40c7333b8bbf53c4d73a7cbd7b4c/classgraph-4.0.6.jar
MD5: 7d170febb87aa7994272308df5c801b5
SHA1: 7fe1e7464ffd40c7333b8bbf53c4d73a7cbd7b4c
SHA256:b88663a3c775262afad6450d4670fc7c6afa64f4933db0d75e94d66f14230ef7
Referenced In Projects/Scopes:
  • calcite:sqllineClasspath
  • geode:default
  • geode:runtimeClasspath

Identifiers

commons-beanutils-1.7.0.jar

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/commons-beanutils/commons-beanutils/1.7.0/5675fd96b29656504b86029551973d60fb41339b/commons-beanutils-1.7.0.jar
MD5: 0f18acf5fa857f9959675e14d901a7ce
SHA1: 5675fd96b29656504b86029551973d60fb41339b
SHA256:24bcaa20ccbdc7c856ce0c0aea144566943403e2e9f27bd9779cda1d76823ef4
Referenced In Projects/Scopes:

  • piglet:compileClasspath
  • piglet:runtimeClasspath
  • spark:default
  • spark:compileClasspath
  • piglet:default
  • spark:runtimeClasspath

Identifiers

CVE-2014-0114  

Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.
CWE-20 Improper Input Validation

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P

References:

Vulnerable Software & Versions: (show all)

CVE-2019-10086  

In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for an attacker to access the classloader via the class property available on all Java objects. We, however were not using this by default characteristic of the PropertyUtilsBean.
CWE-502 Deserialization of Untrusted Data

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (7.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

References:

Vulnerable Software & Versions: (show all)

commons-beanutils-1.9.3.jar

Description:

Apache Commons BeanUtils provides an easy-to-use but flexible wrapper around reflection and introspection.

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/commons-beanutils/commons-beanutils/1.9.3/c845703de334ddc6b4b3cd26835458cb1cba1f3d/commons-beanutils-1.9.3.jar
MD5: 4a105c9d029a7edc6f2b16567d37eab6
SHA1: c845703de334ddc6b4b3cd26835458cb1cba1f3d
SHA256:c058e39c7c64203d3a448f3adb588cb03d6378ed808485618f26e137f29dae73
Referenced In Projects/Scopes:
  • calcite:sqllineClasspath
  • geode:default
  • geode:compileClasspath
  • geode:runtimeClasspath

Identifiers

CVE-2019-10086  

In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for an attacker to access the classloader via the class property available on all Java objects. We, however were not using this by default characteristic of the PropertyUtilsBean.
CWE-502 Deserialization of Untrusted Data

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (7.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

References:

Vulnerable Software & Versions: (show all)

commons-beanutils-1.9.4.jar

Description:

Apache Commons BeanUtils provides an easy-to-use but flexible wrapper around reflection and introspection.

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/commons-beanutils/commons-beanutils/1.9.4/d52b9abcd97f38c81342bb7e7ae1eee9b73cba51/commons-beanutils-1.9.4.jar
MD5: 07dc532ee316fe1f2f0323e9bd2f8df4
SHA1: d52b9abcd97f38c81342bb7e7ae1eee9b73cba51
SHA256:7d938c81789028045c08c065e94be75fc280527620d5bd62b519d5838532368a
Referenced In Projects/Scopes:
  • splunk:checkstyle
  • cassandra:checkstyle
  • piglet:checkstyle
  • calcite:checkstyle
  • bom:checkstyle
  • function:checkstyle
  • spark:checkstyle
  • plus:checkstyle
  • pig:checkstyle
  • druid:checkstyle
  • csv:checkstyle
  • core:checkstyle
  • server:checkstyle
  • file:checkstyle
  • geode:checkstyle
  • mongodb:checkstyle
  • elasticsearch:checkstyle
  • release:checkstyle
  • kafka:checkstyle
  • ubenchmark:checkstyle
  • linq4j:checkstyle
  • redis:checkstyle
  • babel:checkstyle
  • example:checkstyle
  • innodb:checkstyle

Identifiers

commons-beanutils-core-1.8.0.jar

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/commons-beanutils/commons-beanutils-core/1.8.0/175dc721f87e4bc5cc0573f990e28c3cf9117508/commons-beanutils-core-1.8.0.jar
MD5: a33ba25ae637909a97a60ff1d1b38857
SHA1: 175dc721f87e4bc5cc0573f990e28c3cf9117508
SHA256:9038c7ddc61d3d8089eb5a52a24b430a202617d57d2d344a93b68e4eafefefde
Referenced In Projects/Scopes:

  • piglet:compileClasspath
  • piglet:runtimeClasspath
  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • piglet:default
  • spark:runtimeClasspath

Identifiers

CVE-2014-0114  

Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.
CWE-20 Improper Input Validation

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P

References:

Vulnerable Software & Versions: (show all)

CVE-2019-10086  

In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for an attacker to access the classloader via the class property available on all Java objects. We, however were not using this by default characteristic of the PropertyUtilsBean.
CWE-502 Deserialization of Untrusted Data

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (7.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

References:

Vulnerable Software & Versions: (show all)

commons-cli-1.2.jar

Description:

    Commons CLI provides a simple API for presenting, processing and validating a command line interface.
  

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/commons-cli/commons-cli/1.2/2bf96b7aa8b611c177d329452af1dc933e14501c/commons-cli-1.2.jar
MD5: bfdcae1ff93f0c07d733f03bdce28c9e
SHA1: 2bf96b7aa8b611c177d329452af1dc933e14501c
SHA256:e7cd8951956d349b568b7ccfd4f5b2529a8c113e67c32b028f52ffda371259d9
Referenced In Projects/Scopes:
  • piglet:compileClasspath
  • piglet:runtimeClasspath
  • calcite:sqllineClasspath
  • pig:runtimeClasspath
  • spark:default
  • spark:compileClasspath
  • piglet:default
  • pig:default
  • spark:runtimeClasspath
  • pig:compileClasspath

Identifiers

commons-codec-1.12.jar

Description:

     The Apache Commons Codec package contains simple encoder and decoders for
     various formats such as Base64 and Hexadecimal.  In addition to these
     widely used encoders and decoders, the codec package also maintains a
     collection of phonetic encoding utilities.
  

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/commons-codec/commons-codec/1.12/47a28ef1ed31eb182b44e15d49300dee5fadcf6a/commons-codec-1.12.jar
MD5: 9bd59ca0beb26bb00e49b7fdbf1a12c3
SHA1: 47a28ef1ed31eb182b44e15d49300dee5fadcf6a
SHA256:23df58fae9c83d1bcd277b99f9429e9d8c134f0600b73e2e86b2385ed793c81e
Referenced In Projects/Scopes:
  • piglet:compileClasspath
  • piglet:runtimeClasspath
  • spark:default
  • splunk:default
  • kafka:default
  • spark:compileClasspath
  • server:runtimeClasspath
  • cassandra:runtimeClasspath
  • druid:default
  • spark:runtimeClasspath
  • linq4j:runtimeClasspath
  • linq4j:default
  • pig:default
  • plus:runtimeClasspath
  • function:default
  • file:compileClasspath
  • core:implementationDependenciesMetadata
  • kafka:runtimeClasspath
  • splunk:runtimeClasspath
  • file:runtimeClasspath
  • innodb:runtimeClasspath
  • elasticsearch:default
  • druid:runtimeClasspath
  • mongodb:default
  • cassandra:default
  • babel:default
  • function:runtimeClasspath
  • redis:runtimeClasspath
  • core:default
  • elasticsearch:compileClasspath
  • babel:runtimeClasspath
  • elasticsearch:runtimeClasspath
  • innodb:default
  • piglet:default
  • csv:default
  • core:compileClasspath
  • calcite:sqllineClasspath
  • core:runtimeClasspath
  • geode:default
  • geode:compileClasspath
  • mongodb:runtimeClasspath
  • file:default
  • server:default
  • pig:runtimeClasspath
  • redis:default
  • geode:runtimeClasspath
  • csv:runtimeClasspath
  • plus:default
  • pig:compileClasspath

Identifiers

commons-collections-3.2.2.jar

Description:

Types that extend and augment the Java Collections Framework.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/commons-collections/commons-collections/3.2.2/8ad72fe39fa8c91eaaf12aadb21e0c3661fe26d5/commons-collections-3.2.2.jar
MD5: f54a8510f834a1a57166970bfc982e94
SHA1: 8ad72fe39fa8c91eaaf12aadb21e0c3661fe26d5
SHA256:eeeae917917144a68a741d4c0dff66aa5c5c5fd85593ff217bced3fc8ca783b8
Referenced In Projects/Scopes:
  • piglet:compileClasspath
  • splunk:checkstyle
  • cassandra:checkstyle
  • piglet:checkstyle
  • calcite:checkstyle
  • bom:checkstyle
  • piglet:runtimeClasspath
  • spark:default
  • spark:compileClasspath
  • function:checkstyle
  • spark:checkstyle
  • plus:checkstyle
  • spark:runtimeClasspath
  • pig:checkstyle
  • druid:checkstyle
  • csv:checkstyle
  • innodb:default
  • piglet:default
  • core:checkstyle
  • server:checkstyle
  • innodb:compileClasspath
  • file:checkstyle
  • innodb:runtimeClasspath
  • calcite:sqllineClasspath
  • geode:default
  • geode:checkstyle
  • geode:compileClasspath
  • mongodb:checkstyle
  • elasticsearch:checkstyle
  • release:checkstyle
  • kafka:checkstyle
  • ubenchmark:checkstyle
  • linq4j:checkstyle
  • redis:checkstyle
  • babel:checkstyle
  • example:checkstyle
  • geode:runtimeClasspath
  • innodb:checkstyle

Identifiers

commons-compiler-3.0.11.jar

Description:

The "commons-compiler" API, including the "IExpressionEvaluator", "IScriptEvaluator", "IClassBodyEvaluator" and "ISimpleCompiler" interfaces.

License:

https://raw.githubusercontent.com/janino-compiler/janino/master/LICENSE
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.codehaus.janino/commons-compiler/3.0.11/f2a6ec7fbc929c9fc87ff8bb486c0574951c5b09/commons-compiler-3.0.11.jar
MD5: 6dea71e8377d7b5df36b11a57406b261
SHA1: f2a6ec7fbc929c9fc87ff8bb486c0574951c5b09
SHA256:0f1a4f5f265c701a31933244ae7045fcef18b4fa5950417e25ee70be50dddacf
Referenced In Projects/Scopes:
  • babel:default
  • piglet:runtimeClasspath
  • spark:default
  • splunk:default
  • function:runtimeClasspath
  • kafka:default
  • redis:runtimeClasspath
  • server:runtimeClasspath
  • cassandra:runtimeClasspath
  • druid:default
  • spark:runtimeClasspath
  • core:default
  • babel:runtimeClasspath
  • elasticsearch:runtimeClasspath
  • innodb:default
  • piglet:default
  • pig:default
  • plus:runtimeClasspath
  • function:default
  • csv:default
  • core:implementationDependenciesMetadata
  • kafka:runtimeClasspath
  • splunk:runtimeClasspath
  • core:compileClasspath
  • file:runtimeClasspath
  • innodb:runtimeClasspath
  • calcite:sqllineClasspath
  • core:runtimeClasspath
  • geode:default
  • elasticsearch:default
  • druid:runtimeClasspath
  • mongodb:runtimeClasspath
  • file:default
  • server:default
  • ubenchmark:jmhCompileClasspath
  • pig:runtimeClasspath
  • mongodb:default
  • redis:default
  • geode:runtimeClasspath
  • csv:runtimeClasspath
  • plus:default
  • cassandra:default

Identifiers

commons-compress-1.4.1.jar

Description:

Apache Commons Compress software defines an API for working with compression and archive formats.
These include: bzip2, gzip, pack200, xz and ar, cpio, jar, tar, zip, dump.
  

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.commons/commons-compress/1.4.1/b02e84a993d88568417536240e970c4b809126fd/commons-compress-1.4.1.jar
MD5: 7f7ff9255a831325f38a170992b70073
SHA1: b02e84a993d88568417536240e970c4b809126fd
SHA256:28a00d80716f073d644b9da76e94b5e8ff94de8e9323f06f558fba653fcf5f86
Referenced In Projects/Scopes:
  • piglet:compileClasspath
  • piglet:runtimeClasspath
  • calcite:sqllineClasspath
  • pig:runtimeClasspath
  • spark:default
  • spark:compileClasspath
  • piglet:default
  • pig:default
  • spark:runtimeClasspath
  • pig:compileClasspath

Identifiers

commons-configuration-1.6.jar

Description:

        Tools to assist in the reading of configuration/preferences files in
        various formats
    

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/commons-configuration/commons-configuration/1.6/32cadde23955d7681b0d94a2715846d20b425235/commons-configuration-1.6.jar
MD5: b099d9f9b4b99071cc52b259308df69a
SHA1: 32cadde23955d7681b0d94a2715846d20b425235
SHA256:46b71b9656154f6a16ea4b1dc84026b52a9305f8eff046a2b4655fa1738e5eee
Referenced In Projects/Scopes:
  • piglet:compileClasspath
  • piglet:runtimeClasspath
  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • piglet:default
  • spark:runtimeClasspath

Identifiers

commons-crypto-1.0.0.jar

Description:

Apache Commons Crypto is a cryptographic library optimized with AES-NI (Advanced Encryption Standard New Instructions). It provides Java API for both cipher level and Java stream level. Developers can use it to implement high performance AES encryption/decryption with the minimum code and effort. Please note that Crypto doesn't implement the cryptographic algorithm such as AES directly. It wraps to Openssl or JCE which implement the algorithms. Features -------- 1. Cipher API for low level cryptographic operations. 2. Java stream API (CryptoInputStream/CryptoOutputStream) for high level stream encyrption/decryption. 3. Both optimized with high performance AES encryption/decryption. (1400 MB/s - 1700 MB/s throughput in modern Xeon processors). 4. JNI-based implementation to achieve comparable performance to the native C++ version based on OpenSsl. 5. Portable across various operating systems (currently only Linux/MacOSX/Windows); Apache Commons Crypto loads the library according to your machine environment (it checks system properties, `os.name` and `os.arch`). 6. Simple usage. Add the commons-crypto-(version).jar file to your classpath. Export restrictions ------------------- This distribution includes cryptographic software. The country in which you currently reside may have restrictions on the import, possession, use, and/or re-export to another country, of encryption software. BEFORE using any encryption software, please check your country's laws, regulations and policies concerning the import, possession, or use, and re-export of encryption software, to see if this is permitted. See for more information. The U.S. Government Department of Commerce, Bureau of Industry and Security (BIS), has classified this software as Export Commodity Control Number (ECCN) 5D002.C.1, which includes information security software using or performing cryptographic functions with asymmetric algorithms. The form and manner of this Apache Software Foundation distribution makes it eligible for export under the License Exception ENC Technology Software Unrestricted (TSU) exception (see the BIS Export Administration Regulations, Section 740.13) for both object code and source code. The following provides more details on the included cryptographic software: * Commons Crypto use [Java Cryptography Extension](http://docs.oracle.com/javase/8/docs/technotes/guides/security/crypto/CryptoSpec.html) provided by Java * Commons Crypto link to and use [OpenSSL](https://www.openssl.org/) ciphers

License:

Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.commons/commons-crypto/1.0.0/7938f66b01f62f03ef8af8a64401e85e45d51c5d/commons-crypto-1.0.0.jar
MD5: 981c95e38457b10d429090496b96f2d6
SHA1: 7938f66b01f62f03ef8af8a64401e85e45d51c5d
SHA256:0043d8d74d8df632c57f938828e6f6efd555e293a9079dcdf59eab8e40107491
Referenced In Projects/Scopes:
  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • spark:runtimeClasspath

Identifiers

commons-crypto-1.0.0.jar: commons-crypto.dll

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.commons/commons-crypto/1.0.0/7938f66b01f62f03ef8af8a64401e85e45d51c5d/commons-crypto-1.0.0.jar/org/apache/commons/crypto/native/Windows/x86/commons-crypto.dll
MD5: 80df8a7e2032790a467db967ce60182e
SHA1: 2a8efda075679e8a913347c52f409015b4ce2e96
SHA256:02e008efb98e14d5b1f16a2219f71ad179ff301bed5a2267883c28d74bcfe6be
Referenced In Projects/Scopes:

  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • spark:runtimeClasspath

Identifiers

  • None

commons-crypto-1.0.0.jar: commons-crypto.dll

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.commons/commons-crypto/1.0.0/7938f66b01f62f03ef8af8a64401e85e45d51c5d/commons-crypto-1.0.0.jar/org/apache/commons/crypto/native/Windows/x86_64/commons-crypto.dll
MD5: a330d40c0b4016e6fcff609473eeb44e
SHA1: ed34492e05a31791856eaecdd436db9a875926eb
SHA256:6d8783ac18bc5f770af7371fcf9684af4b531cad982e62ffe508fca22afa573f
Referenced In Projects/Scopes:

  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • spark:runtimeClasspath

Identifiers

  • None

commons-dbcp2-2.6.0.jar

Description:

Apache Commons DBCP software implements Database Connection Pooling

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.commons/commons-dbcp2/2.6.0/78d0e99c4bc815a9f20cf6837761e91b7fc6eef4/commons-dbcp2-2.6.0.jar
MD5: dc14a729b359f3770f608d3f2c2e7a9e
SHA1: 78d0e99c4bc815a9f20cf6837761e91b7fc6eef4
SHA256:4af3d49ea0aae838d330cbc969a94ff2fa768e3b637effb8e80a21672dd49bf4
Referenced In Projects/Scopes:
  • babel:default
  • piglet:runtimeClasspath
  • spark:default
  • splunk:default
  • function:runtimeClasspath
  • kafka:default
  • redis:runtimeClasspath
  • server:runtimeClasspath
  • cassandra:runtimeClasspath
  • druid:default
  • spark:runtimeClasspath
  • core:default
  • babel:runtimeClasspath
  • elasticsearch:runtimeClasspath
  • innodb:default
  • piglet:default
  • pig:default
  • plus:runtimeClasspath
  • function:default
  • csv:default
  • core:implementationDependenciesMetadata
  • kafka:runtimeClasspath
  • splunk:runtimeClasspath
  • core:compileClasspath
  • file:runtimeClasspath
  • innodb:runtimeClasspath
  • calcite:sqllineClasspath
  • core:runtimeClasspath
  • geode:default
  • elasticsearch:default
  • druid:runtimeClasspath
  • mongodb:runtimeClasspath
  • file:default
  • server:default
  • pig:runtimeClasspath
  • mongodb:default
  • redis:default
  • geode:runtimeClasspath
  • csv:runtimeClasspath
  • plus:default
  • cassandra:default

Identifiers

commons-digester-1.8.1.jar

Description:

    The Digester package lets you configure an XML to Java object mapping module
    which triggers certain actions called rules whenever a particular 
    pattern of nested XML elements is recognized.
  

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/commons-digester/commons-digester/1.8.1/3dec9b9c7ea9342d4dbe8c38560080d85b44a015/commons-digester-1.8.1.jar
MD5: 5002ecf033f5a79e398155823badb36a
SHA1: 3dec9b9c7ea9342d4dbe8c38560080d85b44a015
SHA256:b97b72b4201137262215dca60ceb84e6b664bf7fe428a4d62729de0239cafdb6
Referenced In Projects/Scopes:
  • calcite:sqllineClasspath
  • geode:default
  • geode:runtimeClasspath

Identifiers

commons-digester-1.8.jar

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/commons-digester/commons-digester/1.8/dc6a73fdbd1fa3f0944e8497c6c872fa21dca37e/commons-digester-1.8.jar
MD5: cf89c593f0378e9509a06fce7030aeba
SHA1: dc6a73fdbd1fa3f0944e8497c6c872fa21dca37e
SHA256:05662373044f3dff112567b7bb5dfa1174e91e074c0c727b4412788013f49d56
Referenced In Projects/Scopes:

  • piglet:compileClasspath
  • piglet:runtimeClasspath
  • spark:default
  • spark:compileClasspath
  • piglet:default
  • spark:runtimeClasspath

Identifiers

commons-el-1.0.jar

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/commons-el/commons-el/1.0/1df2c042b3f2de0124750241ac6c886dbfa2cc2c/commons-el-1.0.jar
MD5: 7c98594df7c126f33688fa6d93169639
SHA1: 1df2c042b3f2de0124750241ac6c886dbfa2cc2c
SHA256:0d67550ec0022b653453c759f063a643c2fe64bc48faa8b25f95a220e2a282e2
Referenced In Projects/Scopes:

  • piglet:compileClasspath
  • piglet:runtimeClasspath
  • calcite:sqllineClasspath
  • pig:runtimeClasspath
  • piglet:default
  • pig:default
  • pig:compileClasspath

Identifiers

commons-httpclient-3.1.jar

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/commons-httpclient/commons-httpclient/3.1/964cd74171f427720480efdec40a7c7f6e58426a/commons-httpclient-3.1.jar
MD5: 8ad8c9229ef2d59ab9f59f7050e846a5
SHA1: 964cd74171f427720480efdec40a7c7f6e58426a
SHA256:dbd4953d013e10e7c1cc3701a3e6ccd8c950c892f08d804fabfac21705930443
Referenced In Projects/Scopes:

  • piglet:compileClasspath
  • piglet:runtimeClasspath
  • calcite:sqllineClasspath
  • pig:runtimeClasspath
  • spark:default
  • spark:compileClasspath
  • piglet:default
  • pig:default
  • spark:runtimeClasspath
  • pig:compileClasspath

Identifiers

CVE-2012-5783  

Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service (FPS) merchant Java SDK and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
CWE-295 Improper Certificate Validation

CVSSv2:
  • Base Score: MEDIUM (5.8)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:N

References:

Vulnerable Software & Versions:

CVE-2020-13956  

Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

References:

Vulnerable Software & Versions: (show all)

commons-io-2.4.jar

Description:

The Commons IO library contains utility classes, stream implementations, file filters, 
file comparators, endian transformation classes, and much more.
  

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/commons-io/commons-io/2.4/b1b6ea3b7e4aa4f492509a4952029cd8e48019ad/commons-io-2.4.jar
MD5: 7f97854dc04c119d461fed14f5d8bb96
SHA1: b1b6ea3b7e4aa4f492509a4952029cd8e48019ad
SHA256:cc6a41dc3eaacc9e440a6bd0d2890b20d36b4ee408fe2d67122f328bb6e01581
Referenced In Projects/Scopes:
  • piglet:compileClasspath
  • babel:default
  • piglet:runtimeClasspath
  • spark:default
  • splunk:default
  • function:runtimeClasspath
  • kafka:default
  • spark:compileClasspath
  • redis:runtimeClasspath
  • server:runtimeClasspath
  • cassandra:runtimeClasspath
  • druid:default
  • spark:runtimeClasspath
  • core:default
  • babel:runtimeClasspath
  • elasticsearch:runtimeClasspath
  • innodb:default
  • piglet:default
  • pig:default
  • plus:runtimeClasspath
  • function:default
  • csv:default
  • file:compileClasspath
  • core:implementationDependenciesMetadata
  • kafka:runtimeClasspath
  • splunk:runtimeClasspath
  • core:compileClasspath
  • file:runtimeClasspath
  • innodb:runtimeClasspath
  • core:runtimeClasspath
  • elasticsearch:default
  • geode:compileClasspath
  • druid:runtimeClasspath
  • mongodb:runtimeClasspath
  • file:default
  • server:default
  • pig:runtimeClasspath
  • mongodb:default
  • redis:default
  • geode:runtimeClasspath
  • csv:runtimeClasspath
  • plus:default
  • cassandra:default

Identifiers

CVE-2021-29425  

In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like "//../foo", or "\\..\foo", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus "limited" path traversal), if the calling code would use the result to construct a path value.
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

commons-io-2.6.jar

Description:

The Apache Commons IO library contains utility classes, stream implementations, file filters,
file comparators, endian transformation classes, and much more.
  

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/commons-io/commons-io/2.6/815893df5f31da2ece4040fe0a12fd44b577afaf/commons-io-2.6.jar
MD5: 467c2a1f64319c99b5faf03fc78572af
SHA1: 815893df5f31da2ece4040fe0a12fd44b577afaf
SHA256:f877d304660ac2a142f3865badfc971dec7ed73c747c7f8d5d2f5139ca736513
Referenced In Projects/Scopes:
  • calcite:sqllineClasspath
  • geode:default

Identifiers

CVE-2021-29425  

In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like "//../foo", or "\\..\foo", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus "limited" path traversal), if the calling code would use the result to construct a path value.
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

commons-lang-2.4.jar

Description:

        Commons Lang, a package of Java utility classes for the
        classes that are in java.lang's hierarchy, or are considered to be so
        standard as to justify existence in java.lang.
    

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/commons-lang/commons-lang/2.4/16313e02a793435009f1e458fa4af5d879f6fb11/commons-lang-2.4.jar
MD5: 237a8e845441bad2e535c57d985c8204
SHA1: 16313e02a793435009f1e458fa4af5d879f6fb11
SHA256:2c73b940c91250bc98346926270f13a6a10bb6e29d2c9316a70d134e382c873e
Referenced In Projects/Scopes:
  • babel:default
  • splunk:default
  • function:runtimeClasspath
  • kafka:default
  • redis:runtimeClasspath
  • server:runtimeClasspath
  • cassandra:runtimeClasspath
  • druid:default
  • core:default
  • babel:runtimeClasspath
  • elasticsearch:runtimeClasspath
  • innodb:default
  • pig:default
  • plus:runtimeClasspath
  • function:default
  • core:implementationDependenciesMetadata
  • kafka:runtimeClasspath
  • splunk:runtimeClasspath
  • core:compileClasspath
  • innodb:runtimeClasspath
  • core:runtimeClasspath
  • geode:default
  • elasticsearch:default
  • druid:runtimeClasspath
  • mongodb:runtimeClasspath
  • server:default
  • pig:runtimeClasspath
  • mongodb:default
  • redis:default
  • geode:runtimeClasspath
  • plus:default
  • cassandra:default

Identifiers

commons-lang-2.6.jar

Description:

        Commons Lang, a package of Java utility classes for the
        classes that are in java.lang's hierarchy, or are considered to be so
        standard as to justify existence in java.lang.
    

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/commons-lang/commons-lang/2.6/ce1edb914c94ebc388f086c6827e8bdeec71ac2/commons-lang-2.6.jar
MD5: 4d5c1693079575b362edf41500630bbd
SHA1: 0ce1edb914c94ebc388f086c6827e8bdeec71ac2
SHA256:50f11b09f877c294d56f24463f47d28f929cf5044f648661c0f0cfbae9a2f49c
Referenced In Projects/Scopes:
  • file:compileClasspath
  • piglet:compileClasspath
  • file:runtimeClasspath
  • piglet:runtimeClasspath
  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • file:default
  • spark:runtimeClasspath
  • piglet:default
  • csv:runtimeClasspath
  • csv:default

Identifiers

commons-lang3-3.8.1.jar

Description:

  Apache Commons Lang, a package of Java utility classes for the
  classes that are in java.lang's hierarchy, or are considered to be so
  standard as to justify existence in java.lang.
  

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.commons/commons-lang3/3.8.1/6505a72a097d9270f7a9e7bf42c4238283247755/commons-lang3-3.8.1.jar
MD5: 540b1256d887a6993ecbef23371a3302
SHA1: 6505a72a097d9270f7a9e7bf42c4238283247755
SHA256:dac807f65b07698ff39b1b07bfef3d87ae3fd46d91bbf8a2bc02b2a831616f68
Referenced In Projects/Scopes:
  • innodb:compileClasspath
  • innodb:runtimeClasspath
  • calcite:sqllineClasspath
  • geode:default
  • innodb:default
  • geode:compileClasspath
  • geode:runtimeClasspath

Identifiers

commons-lang3-3.8.jar

Description:

  Apache Commons Lang, a package of Java utility classes for the
  classes that are in java.lang's hierarchy, or are considered to be so
  standard as to justify existence in java.lang.
  

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.commons/commons-lang3/3.8/222fc4cf714a63f27cbdafdbd863efd0d30c8a1e/commons-lang3-3.8.jar
MD5: 0e9023b7d40f09a8f7bdb32889ef4449
SHA1: 222fc4cf714a63f27cbdafdbd863efd0d30c8a1e
SHA256:9375aad1000cdd5bd3068e832de9802094fac1f145655251e141d5d0072fab9a
Referenced In Projects/Scopes:
  • babel:default
  • piglet:runtimeClasspath
  • spark:default
  • splunk:default
  • function:runtimeClasspath
  • kafka:default
  • redis:compileClasspath
  • spark:compileClasspath
  • redis:runtimeClasspath
  • server:runtimeClasspath
  • cassandra:runtimeClasspath
  • druid:default
  • spark:runtimeClasspath
  • core:default
  • druid:compileClasspath
  • babel:runtimeClasspath
  • elasticsearch:runtimeClasspath
  • piglet:default
  • pig:default
  • plus:runtimeClasspath
  • function:default
  • csv:default
  • file:compileClasspath
  • core:implementationDependenciesMetadata
  • kafka:runtimeClasspath
  • splunk:runtimeClasspath
  • core:compileClasspath
  • file:runtimeClasspath
  • core:runtimeClasspath
  • elasticsearch:default
  • druid:runtimeClasspath
  • mongodb:runtimeClasspath
  • file:default
  • server:default
  • pig:runtimeClasspath
  • mongodb:default
  • redis:default
  • csv:runtimeClasspath
  • plus:default
  • cassandra:default

Identifiers

commons-logging-1.1.1.jar

Description:

Commons Logging is a thin adapter allowing configurable bridging to other,
    well known logging systems.

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/commons-logging/commons-logging/1.1.1/5043bfebc3db072ed80fbd362e7caf00e885d8ae/commons-logging-1.1.1.jar
MD5: ed448347fc0104034aa14c8189bf37de
SHA1: 5043bfebc3db072ed80fbd362e7caf00e885d8ae
SHA256:ce6f913cad1f0db3aad70186d65c5bc7ffcc9a99e3fe8e0b137312819f7c362f
Referenced In Projects/Scopes:

  • file:compileClasspath
  • file:runtimeClasspath
  • pig:runtimeClasspath
  • pig:compileClasspath

Identifiers

commons-logging-1.2.jar

Description:

Apache Commons Logging is a thin adapter allowing configurable bridging to other,
    well known logging systems.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/commons-logging/commons-logging/1.2/4bfc12adfe4842bf07b657f0369c4cb522955686/commons-logging-1.2.jar
MD5: 040b4b4d8eac886f6b4a2a3bd2f31b00
SHA1: 4bfc12adfe4842bf07b657f0369c4cb522955686
SHA256:daddea1ea0be0f56978ab3006b8ac92834afeefbd9b7e4e6316fca57df0fa636
Referenced In Projects/Scopes:
  • piglet:compileClasspath
  • babel:default
  • piglet:runtimeClasspath
  • spark:default
  • splunk:default
  • function:runtimeClasspath
  • kafka:default
  • redis:runtimeClasspath
  • server:runtimeClasspath
  • cassandra:runtimeClasspath
  • druid:default
  • spark:runtimeClasspath
  • core:default
  • linq4j:runtimeClasspath
  • linq4j:default
  • elasticsearch:compileClasspath
  • babel:runtimeClasspath
  • elasticsearch:runtimeClasspath
  • innodb:default
  • piglet:default
  • pig:default
  • plus:runtimeClasspath
  • function:default
  • csv:default
  • core:implementationDependenciesMetadata
  • kafka:runtimeClasspath
  • splunk:runtimeClasspath
  • core:compileClasspath
  • innodb:runtimeClasspath
  • calcite:sqllineClasspath
  • core:runtimeClasspath
  • geode:default
  • elasticsearch:default
  • geode:compileClasspath
  • druid:runtimeClasspath
  • mongodb:runtimeClasspath
  • file:default
  • server:default
  • mongodb:default
  • redis:default
  • geode:runtimeClasspath
  • csv:runtimeClasspath
  • plus:default
  • cassandra:default

Identifiers

commons-math3-3.1.1.jar

Description:

The Math project is a library of lightweight, self-contained mathematics and statistics components addressing the most common practical problems not immediately available in the Java programming language or commons-lang.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.commons/commons-math3/3.1.1/6719d757a98ff24a83d9d727bef9cec83f59b6e1/commons-math3-3.1.1.jar
MD5: 505ece0d2261b037101e6c4bdf541ca7
SHA1: 6719d757a98ff24a83d9d727bef9cec83f59b6e1
SHA256:a07e39d31c46032879f0a48ae1bd0142b17dd67664c008b50216e9891f346c54
Referenced In Projects/Scopes:
  • piglet:compileClasspath
  • piglet:runtimeClasspath
  • piglet:default

Identifiers

commons-math3-3.2.jar

Description:

The Math project is a library of lightweight, self-contained mathematics and statistics components addressing the most common practical problems not immediately available in the Java programming language or commons-lang.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.commons/commons-math3/3.2/ec2544ab27e110d2d431bdad7d538ed509b21e62/commons-math3-3.2.jar
MD5: aaa32530c0f744813570ff73db018698
SHA1: ec2544ab27e110d2d431bdad7d538ed509b21e62
SHA256:6268a9a0ea3e769fc493a21446664c0ef668e48c93d126791f6f3f757978fee2
Referenced In Projects/Scopes:
  • ubenchmark:jmhCompileClasspath
  • ubenchmark:jmh

Identifiers

commons-math3-3.4.1.jar

Description:

The Apache Commons Math project is a library of lightweight, self-contained mathematics and statistics components addressing the most common practical problems not immediately available in the Java programming language or commons-lang.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.commons/commons-math3/3.4.1/3ac44a8664228384bc68437264cf7c4cf112f579/commons-math3-3.4.1.jar
MD5: 14a218d0ee57907dd2c7ef944b6c0afd
SHA1: 3ac44a8664228384bc68437264cf7c4cf112f579
SHA256:d1075b14a71087038b0bfd198f0f7dd8e49b5b3529d8e2eba99e7d9eb8565e4b
Referenced In Projects/Scopes:
  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • spark:runtimeClasspath

Identifiers

commons-net-1.4.1.jar

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/commons-net/commons-net/1.4.1/abb932adb2c10790c1eaa4365d3ac2a1ac7cb700/commons-net-1.4.1.jar
MD5: 365c9a26e81b212de0553fbed10452cc
SHA1: abb932adb2c10790c1eaa4365d3ac2a1ac7cb700
SHA256:05a3611dedf90d0ab3e8ed83dec4ee49200148c09425437eb9348562fde7d83c
Referenced In Projects/Scopes:

  • pig:runtimeClasspath
  • pig:default
  • pig:compileClasspath

Identifiers

commons-net-3.1.jar

Description:

Apache Commons Net library contains a collection of network utilities and protocol implementations.
Supported protocols include: Echo, Finger, FTP, NNTP, NTP, POP3(S), SMTP(S), Telnet, Whois
    

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/commons-net/commons-net/3.1/2298164a7c2484406f2aa5ac85b205d39019896f/commons-net-3.1.jar
MD5: 23c94d51e72f341fb412d6a015e16313
SHA1: 2298164a7c2484406f2aa5ac85b205d39019896f
SHA256:34a58d6d80a50748307e674ec27b4411e6536fd12e78bec428eb2ee49a123007
Referenced In Projects/Scopes:
  • piglet:compileClasspath
  • piglet:runtimeClasspath
  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • piglet:default
  • spark:runtimeClasspath

Identifiers

commons-pool2-2.6.1.jar

Description:

The Apache Commons Object Pooling Library.

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.commons/commons-pool2/2.6.1/4a285ecdea96fd7b621091b334224c527ae420fb/commons-pool2-2.6.1.jar
MD5: 52f8f610a5d832a7edba51b7b77d1717
SHA1: 4a285ecdea96fd7b621091b334224c527ae420fb
SHA256:e2d6f4084f8a180de66c7700343fe8ad3a0aa84f2cb0561edb417fe1fd41aa15
Referenced In Projects/Scopes:
  • babel:default
  • piglet:runtimeClasspath
  • spark:default
  • splunk:default
  • function:runtimeClasspath
  • kafka:default
  • server:runtimeClasspath
  • cassandra:runtimeClasspath
  • druid:default
  • spark:runtimeClasspath
  • core:default
  • babel:runtimeClasspath
  • elasticsearch:runtimeClasspath
  • innodb:default
  • piglet:default
  • pig:default
  • plus:runtimeClasspath
  • function:default
  • csv:default
  • core:implementationDependenciesMetadata
  • kafka:runtimeClasspath
  • splunk:runtimeClasspath
  • core:compileClasspath
  • file:runtimeClasspath
  • innodb:runtimeClasspath
  • core:runtimeClasspath
  • geode:default
  • elasticsearch:default
  • druid:runtimeClasspath
  • mongodb:runtimeClasspath
  • file:default
  • server:default
  • pig:runtimeClasspath
  • mongodb:default
  • geode:runtimeClasspath
  • csv:runtimeClasspath
  • plus:default
  • cassandra:default

Identifiers

commons-pool2-2.6.2.jar

Description:

The Apache Commons Object Pooling Library.

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.commons/commons-pool2/2.6.2/775a8072995b29eafe8fb0a828a190589f71cede/commons-pool2-2.6.2.jar
MD5: 696197d79439773526f300b1a5eb38c9
SHA1: 775a8072995b29eafe8fb0a828a190589f71cede
SHA256:689091759a3a4d8da3be38480e3df3fbcb3c3c9d81811d40cb64c56ae62e68f7
Referenced In Projects/Scopes:
  • calcite:sqllineClasspath
  • redis:compileClasspath
  • redis:default
  • redis:runtimeClasspath

Identifiers

commons-validator-1.6.jar

Description:

    Apache Commons Validator provides the building blocks for both client side validation and server side data validation.
    It may be used standalone or with a framework like Struts.
  

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/commons-validator/commons-validator/1.6/e989d1e87cdd60575df0765ed5bac65c905d7908/commons-validator-1.6.jar
MD5: 3fd5efd8dcdd601035c123638a897833
SHA1: e989d1e87cdd60575df0765ed5bac65c905d7908
SHA256:bd62795d7068a69cbea333f6dbf9c9c1a6ad7521443fb57202a44874f240ba25
Referenced In Projects/Scopes:
  • calcite:sqllineClasspath
  • geode:default
  • geode:runtimeClasspath

Identifiers

compress-lzf-1.0.3.jar

Description:

 
Compression codec for LZF encoding for particularly encoding/decoding, with reasonable compression.
Compressor is basic Lempel-Ziv codec, without Huffman (deflate/gzip) or statistical post-encoding.
See "http://oldhome.schmorp.de/marc/liblzf.html" for more on original LZF package.
    

License:

Apache License 2.0: http://www.apache.org/licenses/LICENSE-2.0.html
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/com.ning/compress-lzf/1.0.3/3e1495b0c532ebe58f1c8b1c5d9b3bdcc6c1504c/compress-lzf-1.0.3.jar
MD5: dc55ed6fe0bbad93bbf38331768ba1b4
SHA1: 3e1495b0c532ebe58f1c8b1c5d9b3bdcc6c1504c
SHA256:6cf93bda1c2caf618652f97d2f36c883a5a9774345384c05d3593b173731bccd
Referenced In Projects/Scopes:
  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • spark:runtimeClasspath

Identifiers

core-3.1.1.jar

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.eclipse.jdt/core/3.1.1/88c83ce444cf46d02494da37c9fa1eebc9ce9cea/core-3.1.1.jar
MD5: 8672c6db44f6279a89ee1b3b4ac2ddee
SHA1: 88c83ce444cf46d02494da37c9fa1eebc9ce9cea
SHA256:f9e39cf7326b60d1d3016ed90fadc049f71d312c97aa97cbaaf851d6376730ba
Referenced In Projects/Scopes:

  • piglet:compileClasspath
  • piglet:runtimeClasspath
  • calcite:sqllineClasspath
  • pig:runtimeClasspath
  • piglet:default
  • pig:default
  • pig:compileClasspath

Identifiers

core-3.1.1.jar: jdtCompilerAdapter.jar

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.eclipse.jdt/core/3.1.1/88c83ce444cf46d02494da37c9fa1eebc9ce9cea/core-3.1.1.jar/jdtCompilerAdapter.jar
MD5: 487fe5b1b0620b36569379eb247489cd
SHA1: 91920f715d9654c149736a7f508eb5fc4e1747e1
SHA256:35732196f104ff29c208a345b67ca4da993fb2a7095a2419e674f350ab21e726
Referenced In Projects/Scopes:

  • piglet:compileClasspath
  • piglet:runtimeClasspath
  • calcite:sqllineClasspath
  • pig:runtimeClasspath
  • piglet:default
  • pig:default
  • pig:compileClasspath

Identifiers

  • None

curator-client-2.7.1.jar

Description:

Low-level API

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.curator/curator-client/2.7.1/a591dfc085db3e9d4d480381cc7e6ae8a26b34af/curator-client-2.7.1.jar
MD5: 3b43933c18d1dcf15f88db73ee646396
SHA1: a591dfc085db3e9d4d480381cc7e6ae8a26b34af
SHA256:949ac95323bb13b4d9cde33ab1ca73f07a87e6e43cf76629e89fdd74d5b378e4
Referenced In Projects/Scopes:
  • piglet:compileClasspath
  • piglet:runtimeClasspath
  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • piglet:default
  • spark:runtimeClasspath

Identifiers

curator-framework-2.7.1.jar

Description:

High-level API that greatly simplifies using ZooKeeper.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.curator/curator-framework/2.7.1/8c7b1eeb78e43bb91ea737111ba3dec0512be876/curator-framework-2.7.1.jar
MD5: 35bff30d2a79a8b0731269604b1327ee
SHA1: 8c7b1eeb78e43bb91ea737111ba3dec0512be876
SHA256:a65e3f515b022d84d86c553c99216e384bc82d1de51b5a32b10f33314ad81ceb
Referenced In Projects/Scopes:
  • piglet:compileClasspath
  • piglet:runtimeClasspath
  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • piglet:default
  • spark:runtimeClasspath

Identifiers

curator-recipes-2.7.1.jar

Description:

All of the recipes listed on the ZooKeeper recipes doc (except two phase commit).

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.curator/curator-recipes/2.7.1/a2c180efc6a38a4f8c9197eb35bb4eb5716cd2fa/curator-recipes-2.7.1.jar
MD5: 156ad30fb9995b072175ae60fbb352a5
SHA1: a2c180efc6a38a4f8c9197eb35bb4eb5716cd2fa
SHA256:ce122f137e36268e30082bf1565c51d874ca926801be3ca73b3c0d522b0dfe2c
Referenced In Projects/Scopes:
  • piglet:compileClasspath
  • piglet:runtimeClasspath
  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • piglet:default
  • spark:runtimeClasspath

Identifiers

elasticsearch-rest-client-7.0.1.jar

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.elasticsearch.client/elasticsearch-rest-client/7.0.1/bc8c679f6e53a51a99190a7a3108ab760b24bbf5/elasticsearch-rest-client-7.0.1.jar
MD5: c2be6e0386135cff4ded5764dc7af5cc
SHA1: bc8c679f6e53a51a99190a7a3108ab760b24bbf5
SHA256:32630b808e3478cfbe1e52e81c3942f10cee251bec45bbb4b6c76253643db795
Referenced In Projects/Scopes:

  • elasticsearch:compileClasspath
  • calcite:sqllineClasspath
  • elasticsearch:runtimeClasspath
  • elasticsearch:default

Identifiers

error_prone_annotations-2.3.2.jar

License:

Apache 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/com.google.errorprone/error_prone_annotations/2.3.2/d1a0c5032570e0f64be6b4d9c90cdeb103129029/error_prone_annotations-2.3.2.jar
MD5: 42c8312a7eb4b6ff612049c4f7b514a6
SHA1: d1a0c5032570e0f64be6b4d9c90cdeb103129029
SHA256:357cd6cfb067c969226c442451502aee13800a24e950fdfde77bcdb4565a668d
Referenced In Projects/Scopes:
  • splunk:checkstyle
  • cassandra:checkstyle
  • piglet:checkstyle
  • calcite:checkstyle
  • bom:checkstyle
  • function:checkstyle
  • spark:checkstyle
  • plus:checkstyle
  • pig:checkstyle
  • druid:checkstyle
  • csv:checkstyle
  • core:checkstyle
  • server:checkstyle
  • file:checkstyle
  • geode:checkstyle
  • mongodb:checkstyle
  • elasticsearch:checkstyle
  • release:checkstyle
  • kafka:checkstyle
  • ubenchmark:checkstyle
  • linq4j:checkstyle
  • redis:checkstyle
  • babel:checkstyle
  • example:checkstyle
  • innodb:checkstyle

Identifiers

error_prone_annotations-2.5.1.jar

License:

Apache 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/com.google.errorprone/error_prone_annotations/2.5.1/562d366678b89ce5d6b6b82c1a073880341e3fba/error_prone_annotations-2.5.1.jar
MD5: 2bf3239388cf5c817cd83ecb692b045f
SHA1: 562d366678b89ce5d6b6b82c1a073880341e3fba
SHA256:ff80626baaf12a09342befd4e84cba9d50662f5fcd7f7a9b3490a6b7cf87e66c
Referenced In Projects/Scopes:
  • cassandra:compileClasspath
  • piglet:compileClasspath
  • piglet:runtimeClasspath
  • spark:default
  • splunk:default
  • kafka:default
  • spark:compileClasspath
  • server:runtimeClasspath
  • cassandra:runtimeClasspath
  • druid:default
  • spark:runtimeClasspath
  • linq4j:runtimeClasspath
  • linq4j:default
  • druid:compileClasspath
  • plus:compileClasspath
  • linq4j:compileClasspath
  • pig:default
  • plus:runtimeClasspath
  • splunk:compileClasspath
  • function:default
  • file:compileClasspath
  • core:implementationDependenciesMetadata
  • kafka:runtimeClasspath
  • splunk:runtimeClasspath
  • file:runtimeClasspath
  • innodb:runtimeClasspath
  • elasticsearch:default
  • kafka:compileClasspath
  • druid:runtimeClasspath
  • mongodb:default
  • cassandra:default
  • babel:default
  • function:runtimeClasspath
  • redis:compileClasspath
  • redis:runtimeClasspath
  • core:default
  • function:compileClasspath
  • elasticsearch:compileClasspath
  • babel:runtimeClasspath
  • elasticsearch:runtimeClasspath
  • innodb:default
  • piglet:default
  • babel:compileClasspath
  • csv:default
  • innodb:compileClasspath
  • core:compileClasspath
  • calcite:sqllineClasspath
  • core:runtimeClasspath
  • geode:default
  • geode:compileClasspath
  • mongodb:runtimeClasspath
  • file:default
  • server:default
  • ubenchmark:jmhCompileClasspath
  • pig:runtimeClasspath
  • mongodb:compileClasspath
  • server:compileClasspath
  • redis:default
  • geode:runtimeClasspath
  • csv:compileClasspath
  • csv:runtimeClasspath
  • plus:default
  • pig:compileClasspath

Identifiers

esri-geometry-api-2.2.0.jar

Description:

The Esri Geometry API for Java enables developers to write custom applications for analysis of spatial data.

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/com.esri.geometry/esri-geometry-api/2.2.0/2663f80d28c2470630a996464d6130b2809c9dbe/esri-geometry-api-2.2.0.jar
MD5: 613f8c19da02c4256815a85f3d4bbb1e
SHA1: 2663f80d28c2470630a996464d6130b2809c9dbe
SHA256:08e6f65d3658ee0c199fcf5cf552c5b4e1095d5c60c9e683b27f29e53e219f60
Referenced In Projects/Scopes:
  • cassandra:compileClasspath
  • piglet:compileClasspath
  • piglet:runtimeClasspath
  • spark:default
  • splunk:default
  • kafka:default
  • spark:compileClasspath
  • server:runtimeClasspath
  • cassandra:runtimeClasspath
  • druid:default
  • spark:runtimeClasspath
  • druid:compileClasspath
  • plus:compileClasspath
  • pig:default
  • plus:runtimeClasspath
  • splunk:compileClasspath
  • function:default
  • file:compileClasspath
  • core:implementationDependenciesMetadata
  • kafka:runtimeClasspath
  • splunk:runtimeClasspath
  • file:runtimeClasspath
  • innodb:runtimeClasspath
  • elasticsearch:default
  • kafka:compileClasspath
  • druid:runtimeClasspath
  • mongodb:default
  • cassandra:default
  • babel:default
  • function:runtimeClasspath
  • redis:compileClasspath
  • redis:runtimeClasspath
  • core:default
  • function:compileClasspath
  • elasticsearch:compileClasspath
  • babel:runtimeClasspath
  • elasticsearch:runtimeClasspath
  • innodb:default
  • piglet:default
  • babel:compileClasspath
  • csv:default
  • innodb:compileClasspath
  • core:compileClasspath
  • calcite:sqllineClasspath
  • core:runtimeClasspath
  • geode:default
  • geode:compileClasspath
  • mongodb:runtimeClasspath
  • file:default
  • server:default
  • ubenchmark:jmhCompileClasspath
  • pig:runtimeClasspath
  • mongodb:compileClasspath
  • server:compileClasspath
  • redis:default
  • geode:runtimeClasspath
  • csv:compileClasspath
  • csv:runtimeClasspath
  • plus:default
  • pig:compileClasspath

Identifiers

failureaccess-1.0.1.jar

Description:

    Contains
    com.google.common.util.concurrent.internal.InternalFutureFailureAccess and
    InternalFutures. Most users will never need to use this artifact. Its
    classes is conceptually a part of Guava, but they're in this separate
    artifact so that Android libraries can use them without pulling in all of
    Guava (just as they can use ListenableFuture by depending on the
    listenablefuture artifact).
  

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/com.google.guava/failureaccess/1.0.1/1dcf1de382a0bf95a3d8b0849546c88bac1292c9/failureaccess-1.0.1.jar
MD5: 091883993ef5bfa91da01dcc8fc52236
SHA1: 1dcf1de382a0bf95a3d8b0849546c88bac1292c9
SHA256:a171ee4c734dd2da837e4b16be9df4661afab72a41adaf31eb84dfdaf936ca26
Referenced In Projects/Scopes:
  • cassandra:compileClasspath
  • piglet:compileClasspath
  • splunk:checkstyle
  • calcite:checkstyle
  • piglet:runtimeClasspath
  • spark:default
  • splunk:default
  • kafka:default
  • spark:compileClasspath
  • function:checkstyle
  • server:runtimeClasspath
  • cassandra:runtimeClasspath
  • druid:default
  • spark:runtimeClasspath
  • linq4j:runtimeClasspath
  • linq4j:default
  • druid:checkstyle
  • druid:compileClasspath
  • plus:compileClasspath
  • csv:checkstyle
  • linq4j:compileClasspath
  • pig:default
  • plus:runtimeClasspath
  • splunk:compileClasspath
  • core:checkstyle
  • function:default
  • file:compileClasspath
  • core:implementationDependenciesMetadata
  • file:checkstyle
  • kafka:runtimeClasspath
  • splunk:runtimeClasspath
  • file:runtimeClasspath
  • innodb:runtimeClasspath
  • elasticsearch:default
  • geode:checkstyle
  • kafka:compileClasspath
  • druid:runtimeClasspath
  • mongodb:checkstyle
  • elasticsearch:checkstyle
  • linq4j:checkstyle
  • redis:checkstyle
  • babel:checkstyle
  • mongodb:default
  • cassandra:default
  • innodb:checkstyle
  • cassandra:checkstyle
  • piglet:checkstyle
  • bom:checkstyle
  • babel:default
  • function:runtimeClasspath
  • redis:compileClasspath
  • redis:runtimeClasspath
  • spark:checkstyle
  • plus:checkstyle
  • core:default
  • function:compileClasspath
  • pig:checkstyle
  • elasticsearch:compileClasspath
  • babel:runtimeClasspath
  • elasticsearch:runtimeClasspath
  • innodb:default
  • piglet:default
  • babel:compileClasspath
  • server:checkstyle
  • csv:default
  • innodb:compileClasspath
  • core:compileClasspath
  • calcite:sqllineClasspath
  • core:runtimeClasspath
  • geode:default
  • geode:compileClasspath
  • mongodb:runtimeClasspath
  • release:checkstyle
  • file:default
  • server:default
  • kafka:checkstyle
  • ubenchmark:checkstyle
  • ubenchmark:jmhCompileClasspath
  • example:checkstyle
  • pig:runtimeClasspath
  • mongodb:compileClasspath
  • server:compileClasspath
  • redis:default
  • geode:runtimeClasspath
  • csv:compileClasspath
  • csv:runtimeClasspath
  • plus:default
  • pig:compileClasspath

Identifiers

fastutil-8.2.2.jar

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/it.unimi.dsi/fastutil/8.2.2/975aab42e32a96ecb9696971a87c87a049055452/fastutil-8.2.2.jar
MD5: c8f4236df0f16a8125b415eb4371c0dd
SHA1: 975aab42e32a96ecb9696971a87c87a049055452
SHA256:a6492bd60e4a93c3e302c00291497696bf6d2f927eacaff11cb4fa336dfd5097
Referenced In Projects/Scopes:

  • calcite:sqllineClasspath
  • geode:default
  • geode:runtimeClasspath

Identifiers

findbugs-annotations-1.3.9-1.jar

Description:

A clean room implementation of the Findbugs Annotations based entirely on the specification provided
    by the javadocs and at http://findbugs.sourceforge.net/manual/annotations.html.
  

License:

Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/com.github.stephenc.findbugs/findbugs-annotations/1.3.9-1/a6b11447635d80757d64b355bed3c00786d86801/findbugs-annotations-1.3.9-1.jar
MD5: 70fda5202eb9d9ce4f250f2c2ba71152
SHA1: a6b11447635d80757d64b355bed3c00786d86801
SHA256:1e651066ed9ae35d7e3001d635d1dbba1c2965db0e4e33e2c14ad610543f225c
Referenced In Projects/Scopes:
  • calcite:sqllineClasspath
  • geode:default
  • geode:runtimeClasspath

Identifiers

fmpp-0.9.16.jar

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/net.sourceforge.fmpp/fmpp/0.9.16/e113af0e1b2b81058980d63b13a810e42036207e/fmpp-0.9.16.jar
MD5: c45c2da08ca71c7a1bd71af7b622b578
SHA1: e113af0e1b2b81058980d63b13a810e42036207e
SHA256:16ec342bd8f7600f6823445b59c82475fc3cb00e72e81f2c998f208529e41ecd
Referenced In Projects/Scopes:

  • babel:fmppClaspath
  • server:fmppClaspath
  • core:fmppClaspath

Identifiers

foodmart-data-hsqldb-0.3.jar

Description:

Foodmart data set in hsqldb format

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/net.hydromatic/foodmart-data-hsqldb/0.3/137a80234659c23c12149bb5bfb998f8c409dee4/foodmart-data-hsqldb-0.3.jar
MD5: b8476326acbcbdd9850e8e89be99b761
SHA1: 137a80234659c23c12149bb5bfb998f8c409dee4
SHA256:6b885d71074756360052030f3dac0b87f7b20ef0b6fc3710dc388f78fd4eff79
Referenced In Project/Scope:calcite:sqllineClasspath

Identifiers

freemarker-2.3.29.jar

License:

Apache License, Version 2.0; see: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.freemarker/freemarker/2.3.29/46005eeee02e4458520c85d0bcf5001467b053c3/freemarker-2.3.29.jar
MD5: e7b12d592512f9a0a2712112f67ef4f3
SHA1: 46005eeee02e4458520c85d0bcf5001467b053c3
SHA256:ce9ffbcd065cbce1d5bf295755965167cdbaea4d13039a09e842cea32f0d7655
Referenced In Projects/Scopes:
  • babel:fmppClaspath
  • server:fmppClaspath
  • core:fmppClaspath

Identifiers

geode-common-1.10.0.jar

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.geode/geode-common/1.10.0/543800f90965b8fd58a84cff400ba7c991afff1d/geode-common-1.10.0.jar
MD5: dac7e5c30e38168fee80867d5200563e
SHA1: 543800f90965b8fd58a84cff400ba7c991afff1d
SHA256:c124bf87b09c1d4eaacf65884a61015cdf4b1bfd7b37c3192c818c20f6527cc5
Referenced In Projects/Scopes:

  • calcite:sqllineClasspath
  • geode:default
  • geode:compileClasspath
  • geode:runtimeClasspath

Identifiers

geode-core-1.10.0.jar

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.geode/geode-core/1.10.0/81f925c18827b980a841224e0a93848f4d85c8f4/geode-core-1.10.0.jar
MD5: 4dc0a799c77b4d62e6c42a1618615214
SHA1: 81f925c18827b980a841224e0a93848f4d85c8f4
SHA256:10f9b5e868015b0ba93f3bbd1154764ebba561a0d35acac0c5788e41b96de541
Referenced In Projects/Scopes:

  • calcite:sqllineClasspath
  • geode:default
  • geode:compileClasspath
  • geode:runtimeClasspath

Identifiers

geode-management-1.10.0.jar

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.geode/geode-management/1.10.0/a7b4e3b15fd940f0fa5c78300be74f55ba0d3553/geode-management-1.10.0.jar
MD5: 82428ca698555c2e3a53a35d105a02f4
SHA1: a7b4e3b15fd940f0fa5c78300be74f55ba0d3553
SHA256:0407b7669278999826ea74a5522f0ba9669a8a07711b0b405de6c902c2bb08aa
Referenced In Projects/Scopes:

  • calcite:sqllineClasspath
  • geode:default
  • geode:compileClasspath
  • geode:runtimeClasspath

Identifiers

groovy-all-1.8.6.jar

Description:

Groovy Runtime

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.codehaus.groovy/groovy-all/1.8.6/96a26bfa6e5aea2e3c46df44a19de93a2acd2366/groovy-all-1.8.6.jar
MD5: 81898a6b6f02decf1f1a5d0a43fa0f2d
SHA1: 96a26bfa6e5aea2e3c46df44a19de93a2acd2366
SHA256:69158647e58b7414735230a329ad5d3ef51936fcf0c3e4f195f3fec5f361c858
Referenced In Projects/Scopes:

  • piglet:compileClasspath
  • piglet:runtimeClasspath
  • calcite:sqllineClasspath
  • pig:runtimeClasspath
  • piglet:default
  • pig:default
  • pig:compileClasspath

Identifiers

CVE-2015-3253 (OSSINDEX)  

The MethodClosure class in runtime/MethodClosure.java in Apache Groovy 1.7.0 through 2.4.3 allows remote attackers to execute arbitrary code or cause a denial of service via a crafted serialized object.
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.codehaus.groovy:groovy-all:1.8.6:*:*:*:*:*:*:*

CVE-2016-6814 (OSSINDEX)  

When an application with unsupported Codehaus versions of Groovy from 1.7.0 to 2.4.3, Apache Groovy 2.4.4 to 2.4.7 on classpath uses standard Java serialization mechanisms, e.g. to communicate between servers or to store local data, it was possible for an attacker to bake a special serialized object that will execute code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects were subject to this vulnerability.
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.codehaus.groovy:groovy-all:1.8.6:*:*:*:*:*:*:*

gson-2.2.4.jar

Description:

Google Gson library

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/com.google.code.gson/gson/2.2.4/a60a5e993c98c864010053cb901b7eab25306568/gson-2.2.4.jar
MD5: 2f54fc24807a4cad7297012dd8cebf3d
SHA1: a60a5e993c98c864010053cb901b7eab25306568
SHA256:c0328cd07ca9e363a5acd00c1cf4afe8cf554bd6d373834981ba05cebec687fb
Referenced In Projects/Scopes:

  • piglet:compileClasspath
  • piglet:runtimeClasspath
  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • piglet:default
  • spark:runtimeClasspath

Identifiers

guava-28.1-jre.jar

Description:

    Guava is a suite of core and expanded libraries that include
    utility classes, google's collections, io classes, and much
    much more.
  

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/com.google.guava/guava/28.1-jre/b0e91dcb6a44ffb6221b5027e12a5cb34b841145/guava-28.1-jre.jar
MD5: 4faae794936faf441fcb7afb2c7db507
SHA1: b0e91dcb6a44ffb6221b5027e12a5cb34b841145
SHA256:30beb8b8527bd07c6e747e77f1a92122c2f29d57ce347461a4a55eb26e382da4
Referenced In Projects/Scopes:
  • splunk:checkstyle
  • cassandra:checkstyle
  • piglet:checkstyle
  • calcite:checkstyle
  • bom:checkstyle
  • function:checkstyle
  • spark:checkstyle
  • plus:checkstyle
  • pig:checkstyle
  • druid:checkstyle
  • csv:checkstyle
  • core:checkstyle
  • server:checkstyle
  • file:checkstyle
  • geode:checkstyle
  • mongodb:checkstyle
  • elasticsearch:checkstyle
  • release:checkstyle
  • kafka:checkstyle
  • ubenchmark:checkstyle
  • linq4j:checkstyle
  • redis:checkstyle
  • babel:checkstyle
  • example:checkstyle
  • innodb:checkstyle

Identifiers

CVE-2020-8908  

A temp directory creation vulnerability exists in all versions of Guava, allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava API com.google.common.io.Files.createTempDir(). By default, on unix-like systems, the created directory is world-readable (readable by an attacker with access to the system). The method in question has been marked @Deprecated in versions 30.0 and later and should not be used. For Android developers, we recommend choosing a temporary directory API provided by Android, such as context.getCacheDir(). For other Java developers, we recommend migrating to the Java 7 API java.nio.file.Files.createTempDirectory() which explicitly configures permissions of 700, or configuring the Java runtime's java.io.tmpdir system property to point to a location whose permissions are appropriately configured.
CWE-732 Incorrect Permission Assignment for Critical Resource

CVSSv2:
  • Base Score: LOW (2.1)
  • Vector: /AV:L/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: LOW (3.3)
  • Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

guava-29.0-jre.jar

Description:

    Guava is a suite of core and expanded libraries that include
    utility classes, google's collections, io classes, and much
    much more.
  

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/com.google.guava/guava/29.0-jre/801142b4c3d0f0770dd29abea50906cacfddd447/guava-29.0-jre.jar
MD5: c87962fe0522b105531f37fe351b3b0c
SHA1: 801142b4c3d0f0770dd29abea50906cacfddd447
SHA256:b22c5fb66d61e7b9522531d04b2f915b5158e80aa0b40ee7282c8bfb07b0da25
Referenced In Projects/Scopes:
  • cassandra:compileClasspath
  • piglet:compileClasspath
  • piglet:runtimeClasspath
  • spark:default
  • splunk:default
  • kafka:default
  • spark:compileClasspath
  • server:runtimeClasspath
  • cassandra:runtimeClasspath
  • druid:default
  • spark:runtimeClasspath
  • linq4j:runtimeClasspath
  • linq4j:default
  • druid:compileClasspath
  • plus:compileClasspath
  • linq4j:compileClasspath
  • pig:default
  • plus:runtimeClasspath
  • splunk:compileClasspath
  • function:default
  • file:compileClasspath
  • core:implementationDependenciesMetadata
  • kafka:runtimeClasspath
  • splunk:runtimeClasspath
  • file:runtimeClasspath
  • innodb:runtimeClasspath
  • elasticsearch:default
  • kafka:compileClasspath
  • druid:runtimeClasspath
  • mongodb:default
  • cassandra:default
  • babel:default
  • function:runtimeClasspath
  • redis:compileClasspath
  • redis:runtimeClasspath
  • core:default
  • function:compileClasspath
  • elasticsearch:compileClasspath
  • babel:runtimeClasspath
  • elasticsearch:runtimeClasspath
  • innodb:default
  • piglet:default
  • babel:compileClasspath
  • csv:default
  • innodb:compileClasspath
  • core:compileClasspath
  • calcite:sqllineClasspath
  • core:runtimeClasspath
  • geode:default
  • geode:compileClasspath
  • mongodb:runtimeClasspath
  • file:default
  • server:default
  • ubenchmark:jmhCompileClasspath
  • pig:runtimeClasspath
  • mongodb:compileClasspath
  • server:compileClasspath
  • redis:default
  • geode:runtimeClasspath
  • csv:compileClasspath
  • csv:runtimeClasspath
  • plus:default
  • pig:compileClasspath

Identifiers

CVE-2020-8908  

A temp directory creation vulnerability exists in all versions of Guava, allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava API com.google.common.io.Files.createTempDir(). By default, on unix-like systems, the created directory is world-readable (readable by an attacker with access to the system). The method in question has been marked @Deprecated in versions 30.0 and later and should not be used. For Android developers, we recommend choosing a temporary directory API provided by Android, such as context.getCacheDir(). For other Java developers, we recommend migrating to the Java 7 API java.nio.file.Files.createTempDirectory() which explicitly configures permissions of 700, or configuring the Java runtime's java.io.tmpdir system property to point to a location whose permissions are appropriately configured.
CWE-732 Incorrect Permission Assignment for Critical Resource

CVSSv2:
  • Base Score: LOW (2.1)
  • Vector: /AV:L/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: LOW (3.3)
  • Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

guice-3.0.jar

Description:

Guice is a lightweight dependency injection framework for Java 5 and above

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/com.google.inject/guice/3.0/9d84f15fe35e2c716a02979fb62f50a29f38aefa/guice-3.0.jar
MD5: ca1c7ba366884cfcd2cfb48d2395c400
SHA1: 9d84f15fe35e2c716a02979fb62f50a29f38aefa
SHA256:1a59d0421ffd355cc0b70b42df1c2e9af744c8a2d0c92da379f5fca2f07f1d22
Referenced In Projects/Scopes:
  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • spark:runtimeClasspath

Identifiers

hadoop-annotations-2.7.5.jar

Description:

Apache Hadoop Annotations

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.hadoop/hadoop-annotations/2.7.5/f0e097d895d40b7687cef16476efc50dfc010f4d/hadoop-annotations-2.7.5.jar
MD5: 0e6dea0c894a3bdb9490089a7eb79888
SHA1: f0e097d895d40b7687cef16476efc50dfc010f4d
SHA256:29e955edec12d708171616ea8b0c04e3aa7148d710207421a31ec0b763bc4144
Referenced In Projects/Scopes:

  • piglet:compileClasspath
  • piglet:runtimeClasspath
  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • piglet:default
  • spark:runtimeClasspath

Identifiers

CVE-2017-15713  

Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and 3.0.0-alpha through 3.0.0-beta1 allows a cluster user to expose private files owned by the user running the MapReduce job history server process. The malicious user can construct a configuration file containing XML directives that reference sensitive files on the MapReduce job history server host.
CWE-200 Information Exposure

CVSSv2:
  • Base Score: MEDIUM (4.0)
  • Vector: /AV:N/AC:L/Au:S/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2018-11766  

In Apache Hadoop 2.7.4 to 2.7.6, the security fix for CVE-2016-6811 is incomplete. A user who can escalate to yarn user can possibly run arbitrary commands as root user.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: HIGH (9.0)
  • Vector: /AV:N/AC:L/Au:S/C:C/I:C/A:C
CVSSv3:
  • Base Score: HIGH (8.8)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions:

CVE-2018-11767  

In Apache Hadoop 2.9.0 to 2.9.1, 2.8.3 to 2.8.4, 2.7.5 to 2.7.6, KMS blocking users or granting access to users incorrectly, if the system uses non-default groups mapping mechanisms.
CWE-269 Improper Privilege Management

CVSSv2:
  • Base Score: MEDIUM (5.8)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:P
CVSSv3:
  • Base Score: HIGH (7.4)
  • Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2018-11768  

In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.0-alpha to 2.8.4, the user/group information can be corrupted across storing in fsimage and reading back from fsimage.
CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2018-1296  

In Apache Hadoop 3.0.0-alpha1 to 3.0.0, 2.9.0, 2.8.0 to 2.8.3, and 2.5.0 to 2.7.5, HDFS exposes extended attribute key/value pairs during listXAttrs, verifying only path-level search access to the directory rather than path-level read permission to the referent.
CWE-200 Information Exposure

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2018-8009  

Apache Hadoop 3.1.0, 3.0.0-alpha to 3.0.2, 2.9.0 to 2.9.1, 2.8.0 to 2.8.4, 2.0.0-alpha to 2.7.6, 0.23.0 to 0.23.11 is exploitable via the zip slip vulnerability in places that accept a zip file.
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv2:
  • Base Score: MEDIUM (6.5)
  • Vector: /AV:N/AC:L/Au:S/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (8.8)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2018-8029  

In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.8.4, a user who can escalate to yarn user can possibly run arbitrary commands as root user.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: HIGH (9.0)
  • Vector: /AV:N/AC:L/Au:S/C:C/I:C/A:C
CVSSv3:
  • Base Score: HIGH (8.8)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2020-9492  

In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.0, WebHDFS client might send SPNEGO authorization header to remote URL without proper verification.
CWE-269 Improper Privilege Management

CVSSv2:
  • Base Score: MEDIUM (6.5)
  • Vector: /AV:N/AC:L/Au:S/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (8.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

hadoop-auth-2.7.5.jar

Description:

Apache Hadoop Auth - Java HTTP SPNEGO

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.hadoop/hadoop-auth/2.7.5/36fce8096484404d1e5c28568710a7d158cc046e/hadoop-auth-2.7.5.jar
MD5: 935ce77ef942edd52d8d96c115211a09
SHA1: 36fce8096484404d1e5c28568710a7d158cc046e
SHA256:0a1fae74e2403c293f5aef9fd785730d74d182233c853bc4e6ae7ec936cd4ff2
Referenced In Projects/Scopes:

  • piglet:compileClasspath
  • piglet:runtimeClasspath
  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • piglet:default
  • spark:runtimeClasspath

Identifiers

CVE-2017-15713  

Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and 3.0.0-alpha through 3.0.0-beta1 allows a cluster user to expose private files owned by the user running the MapReduce job history server process. The malicious user can construct a configuration file containing XML directives that reference sensitive files on the MapReduce job history server host.
CWE-200 Information Exposure

CVSSv2:
  • Base Score: MEDIUM (4.0)
  • Vector: /AV:N/AC:L/Au:S/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2018-11766  

In Apache Hadoop 2.7.4 to 2.7.6, the security fix for CVE-2016-6811 is incomplete. A user who can escalate to yarn user can possibly run arbitrary commands as root user.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: HIGH (9.0)
  • Vector: /AV:N/AC:L/Au:S/C:C/I:C/A:C
CVSSv3:
  • Base Score: HIGH (8.8)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions:

CVE-2018-11767  

In Apache Hadoop 2.9.0 to 2.9.1, 2.8.3 to 2.8.4, 2.7.5 to 2.7.6, KMS blocking users or granting access to users incorrectly, if the system uses non-default groups mapping mechanisms.
CWE-269 Improper Privilege Management

CVSSv2:
  • Base Score: MEDIUM (5.8)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:P
CVSSv3:
  • Base Score: HIGH (7.4)
  • Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2018-11768  

In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.0-alpha to 2.8.4, the user/group information can be corrupted across storing in fsimage and reading back from fsimage.
CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2018-1296  

In Apache Hadoop 3.0.0-alpha1 to 3.0.0, 2.9.0, 2.8.0 to 2.8.3, and 2.5.0 to 2.7.5, HDFS exposes extended attribute key/value pairs during listXAttrs, verifying only path-level search access to the directory rather than path-level read permission to the referent.
CWE-200 Information Exposure

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2018-8009  

Apache Hadoop 3.1.0, 3.0.0-alpha to 3.0.2, 2.9.0 to 2.9.1, 2.8.0 to 2.8.4, 2.0.0-alpha to 2.7.6, 0.23.0 to 0.23.11 is exploitable via the zip slip vulnerability in places that accept a zip file.
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv2:
  • Base Score: MEDIUM (6.5)
  • Vector: /AV:N/AC:L/Au:S/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (8.8)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2018-8029  

In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.8.4, a user who can escalate to yarn user can possibly run arbitrary commands as root user.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: HIGH (9.0)
  • Vector: /AV:N/AC:L/Au:S/C:C/I:C/A:C
CVSSv3:
  • Base Score: HIGH (8.8)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2020-9492  

In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.0, WebHDFS client might send SPNEGO authorization header to remote URL without proper verification.
CWE-269 Improper Privilege Management

CVSSv2:
  • Base Score: MEDIUM (6.5)
  • Vector: /AV:N/AC:L/Au:S/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (8.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

hadoop-client-2.7.5.jar

Description:

Apache Hadoop Client

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.hadoop/hadoop-client/2.7.5/80bba794bfea1dd2bc98a35a6a6d1c29c49a5af4/hadoop-client-2.7.5.jar
MD5: a2e6a613576cd2e0804311b6e26707cf
SHA1: 80bba794bfea1dd2bc98a35a6a6d1c29c49a5af4
SHA256:217d1f4df6626383129c8513bc4706244e6aa3f5aa870f22be6052f2b92036f6
Referenced In Projects/Scopes:

  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • spark:runtimeClasspath

Identifiers

CVE-2017-15713  

Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and 3.0.0-alpha through 3.0.0-beta1 allows a cluster user to expose private files owned by the user running the MapReduce job history server process. The malicious user can construct a configuration file containing XML directives that reference sensitive files on the MapReduce job history server host.
CWE-200 Information Exposure

CVSSv2:
  • Base Score: MEDIUM (4.0)
  • Vector: /AV:N/AC:L/Au:S/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2018-11766  

In Apache Hadoop 2.7.4 to 2.7.6, the security fix for CVE-2016-6811 is incomplete. A user who can escalate to yarn user can possibly run arbitrary commands as root user.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: HIGH (9.0)
  • Vector: /AV:N/AC:L/Au:S/C:C/I:C/A:C
CVSSv3:
  • Base Score: HIGH (8.8)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions:

CVE-2018-11767  

In Apache Hadoop 2.9.0 to 2.9.1, 2.8.3 to 2.8.4, 2.7.5 to 2.7.6, KMS blocking users or granting access to users incorrectly, if the system uses non-default groups mapping mechanisms.
CWE-269 Improper Privilege Management

CVSSv2:
  • Base Score: MEDIUM (5.8)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:P
CVSSv3:
  • Base Score: HIGH (7.4)
  • Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2018-11768  

In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.0-alpha to 2.8.4, the user/group information can be corrupted across storing in fsimage and reading back from fsimage.
CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2018-1296  

In Apache Hadoop 3.0.0-alpha1 to 3.0.0, 2.9.0, 2.8.0 to 2.8.3, and 2.5.0 to 2.7.5, HDFS exposes extended attribute key/value pairs during listXAttrs, verifying only path-level search access to the directory rather than path-level read permission to the referent.
CWE-200 Information Exposure

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2018-8009  

Apache Hadoop 3.1.0, 3.0.0-alpha to 3.0.2, 2.9.0 to 2.9.1, 2.8.0 to 2.8.4, 2.0.0-alpha to 2.7.6, 0.23.0 to 0.23.11 is exploitable via the zip slip vulnerability in places that accept a zip file.
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv2:
  • Base Score: MEDIUM (6.5)
  • Vector: /AV:N/AC:L/Au:S/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (8.8)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2018-8029  

In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.8.4, a user who can escalate to yarn user can possibly run arbitrary commands as root user.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: HIGH (9.0)
  • Vector: /AV:N/AC:L/Au:S/C:C/I:C/A:C
CVSSv3:
  • Base Score: HIGH (8.8)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2020-9492  

In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.0, WebHDFS client might send SPNEGO authorization header to remote URL without proper verification.
CWE-269 Improper Privilege Management

CVSSv2:
  • Base Score: MEDIUM (6.5)
  • Vector: /AV:N/AC:L/Au:S/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (8.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

hadoop-common-2.7.5.jar

Description:

Apache Hadoop Common

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.hadoop/hadoop-common/2.7.5/6c480e12f6a9659d3cfad33f6edcd2e7f2d988c4/hadoop-common-2.7.5.jar
MD5: ecc80489e611d5691f9953b088542a4a
SHA1: 6c480e12f6a9659d3cfad33f6edcd2e7f2d988c4
SHA256:b7057a315dd6f699f787b89e56d4e2edaf149273e56ed93b414d7b1c3e4040ab
Referenced In Projects/Scopes:

  • piglet:compileClasspath
  • piglet:runtimeClasspath
  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • piglet:default
  • spark:runtimeClasspath

Identifiers

CVE-2017-15713  

Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and 3.0.0-alpha through 3.0.0-beta1 allows a cluster user to expose private files owned by the user running the MapReduce job history server process. The malicious user can construct a configuration file containing XML directives that reference sensitive files on the MapReduce job history server host.
CWE-200 Information Exposure

CVSSv2:
  • Base Score: MEDIUM (4.0)
  • Vector: /AV:N/AC:L/Au:S/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2018-11766  

In Apache Hadoop 2.7.4 to 2.7.6, the security fix for CVE-2016-6811 is incomplete. A user who can escalate to yarn user can possibly run arbitrary commands as root user.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: HIGH (9.0)
  • Vector: /AV:N/AC:L/Au:S/C:C/I:C/A:C
CVSSv3:
  • Base Score: HIGH (8.8)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions:

CVE-2018-11767  

In Apache Hadoop 2.9.0 to 2.9.1, 2.8.3 to 2.8.4, 2.7.5 to 2.7.6, KMS blocking users or granting access to users incorrectly, if the system uses non-default groups mapping mechanisms.
CWE-269 Improper Privilege Management

CVSSv2:
  • Base Score: MEDIUM (5.8)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:P
CVSSv3:
  • Base Score: HIGH (7.4)
  • Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2018-11768  

In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.0-alpha to 2.8.4, the user/group information can be corrupted across storing in fsimage and reading back from fsimage.
CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2018-1296  

In Apache Hadoop 3.0.0-alpha1 to 3.0.0, 2.9.0, 2.8.0 to 2.8.3, and 2.5.0 to 2.7.5, HDFS exposes extended attribute key/value pairs during listXAttrs, verifying only path-level search access to the directory rather than path-level read permission to the referent.
CWE-200 Information Exposure

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2018-8009  

Apache Hadoop 3.1.0, 3.0.0-alpha to 3.0.2, 2.9.0 to 2.9.1, 2.8.0 to 2.8.4, 2.0.0-alpha to 2.7.6, 0.23.0 to 0.23.11 is exploitable via the zip slip vulnerability in places that accept a zip file.
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv2:
  • Base Score: MEDIUM (6.5)
  • Vector: /AV:N/AC:L/Au:S/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (8.8)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2018-8029  

In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.8.4, a user who can escalate to yarn user can possibly run arbitrary commands as root user.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: HIGH (9.0)
  • Vector: /AV:N/AC:L/Au:S/C:C/I:C/A:C
CVSSv3:
  • Base Score: HIGH (8.8)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2020-9492  

In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.0, WebHDFS client might send SPNEGO authorization header to remote URL without proper verification.
CWE-269 Improper Privilege Management

CVSSv2:
  • Base Score: MEDIUM (6.5)
  • Vector: /AV:N/AC:L/Au:S/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (8.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

hadoop-hdfs-2.7.5.jar

Description:

Apache Hadoop HDFS

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.hadoop/hadoop-hdfs/2.7.5/9580cb7c6ee9c3a71a4e540df2068c416a2796cf/hadoop-hdfs-2.7.5.jar
MD5: 4cb1f6c8e8bc924f9ea2292fdeb839e7
SHA1: 9580cb7c6ee9c3a71a4e540df2068c416a2796cf
SHA256:ff06e3c3f35a999ab9d01e4789ecda0af447f355bcce72af3e4259a92a113b66
Referenced In Projects/Scopes:

  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • spark:runtimeClasspath

Identifiers

CVE-2017-15713  

Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and 3.0.0-alpha through 3.0.0-beta1 allows a cluster user to expose private files owned by the user running the MapReduce job history server process. The malicious user can construct a configuration file containing XML directives that reference sensitive files on the MapReduce job history server host.
CWE-200 Information Exposure

CVSSv2:
  • Base Score: MEDIUM (4.0)
  • Vector: /AV:N/AC:L/Au:S/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2018-11766  

In Apache Hadoop 2.7.4 to 2.7.6, the security fix for CVE-2016-6811 is incomplete. A user who can escalate to yarn user can possibly run arbitrary commands as root user.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: HIGH (9.0)
  • Vector: /AV:N/AC:L/Au:S/C:C/I:C/A:C
CVSSv3:
  • Base Score: HIGH (8.8)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions:

CVE-2018-11767  

In Apache Hadoop 2.9.0 to 2.9.1, 2.8.3 to 2.8.4, 2.7.5 to 2.7.6, KMS blocking users or granting access to users incorrectly, if the system uses non-default groups mapping mechanisms.
CWE-269 Improper Privilege Management

CVSSv2:
  • Base Score: MEDIUM (5.8)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:P
CVSSv3:
  • Base Score: HIGH (7.4)
  • Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2018-11768  

In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.0-alpha to 2.8.4, the user/group information can be corrupted across storing in fsimage and reading back from fsimage.
CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2018-1296  

In Apache Hadoop 3.0.0-alpha1 to 3.0.0, 2.9.0, 2.8.0 to 2.8.3, and 2.5.0 to 2.7.5, HDFS exposes extended attribute key/value pairs during listXAttrs, verifying only path-level search access to the directory rather than path-level read permission to the referent.
CWE-200 Information Exposure

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2018-8009  

Apache Hadoop 3.1.0, 3.0.0-alpha to 3.0.2, 2.9.0 to 2.9.1, 2.8.0 to 2.8.4, 2.0.0-alpha to 2.7.6, 0.23.0 to 0.23.11 is exploitable via the zip slip vulnerability in places that accept a zip file.
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv2:
  • Base Score: MEDIUM (6.5)
  • Vector: /AV:N/AC:L/Au:S/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (8.8)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2018-8029  

In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.8.4, a user who can escalate to yarn user can possibly run arbitrary commands as root user.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: HIGH (9.0)
  • Vector: /AV:N/AC:L/Au:S/C:C/I:C/A:C
CVSSv3:
  • Base Score: HIGH (8.8)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2020-9492  

In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.0, WebHDFS client might send SPNEGO authorization header to remote URL without proper verification.
CWE-269 Improper Privilege Management

CVSSv2:
  • Base Score: MEDIUM (6.5)
  • Vector: /AV:N/AC:L/Au:S/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (8.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

hadoop-mapreduce-client-app-2.7.5.jar

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.hadoop/hadoop-mapreduce-client-app/2.7.5/d36794fda053b8a0d460091c96066b89f40efb18/hadoop-mapreduce-client-app-2.7.5.jar
MD5: 7c88441dcae1f40da90c89ff0deb8941
SHA1: d36794fda053b8a0d460091c96066b89f40efb18
SHA256:9a0e61a12ccf29426798e7b1dbf86f6c27b088867d24808e037de7843d18f895
Referenced In Projects/Scopes:

  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • spark:runtimeClasspath

Identifiers

CVE-2017-15713  

Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and 3.0.0-alpha through 3.0.0-beta1 allows a cluster user to expose private files owned by the user running the MapReduce job history server process. The malicious user can construct a configuration file containing XML directives that reference sensitive files on the MapReduce job history server host.
CWE-200 Information Exposure

CVSSv2:
  • Base Score: MEDIUM (4.0)
  • Vector: /AV:N/AC:L/Au:S/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2018-11766  

In Apache Hadoop 2.7.4 to 2.7.6, the security fix for CVE-2016-6811 is incomplete. A user who can escalate to yarn user can possibly run arbitrary commands as root user.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: HIGH (9.0)
  • Vector: /AV:N/AC:L/Au:S/C:C/I:C/A:C
CVSSv3:
  • Base Score: HIGH (8.8)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions:

CVE-2018-11767  

In Apache Hadoop 2.9.0 to 2.9.1, 2.8.3 to 2.8.4, 2.7.5 to 2.7.6, KMS blocking users or granting access to users incorrectly, if the system uses non-default groups mapping mechanisms.
CWE-269 Improper Privilege Management

CVSSv2:
  • Base Score: MEDIUM (5.8)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:P
CVSSv3:
  • Base Score: HIGH (7.4)
  • Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2018-11768  

In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.0-alpha to 2.8.4, the user/group information can be corrupted across storing in fsimage and reading back from fsimage.
CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2018-1296  

In Apache Hadoop 3.0.0-alpha1 to 3.0.0, 2.9.0, 2.8.0 to 2.8.3, and 2.5.0 to 2.7.5, HDFS exposes extended attribute key/value pairs during listXAttrs, verifying only path-level search access to the directory rather than path-level read permission to the referent.
CWE-200 Information Exposure

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2018-8009  

Apache Hadoop 3.1.0, 3.0.0-alpha to 3.0.2, 2.9.0 to 2.9.1, 2.8.0 to 2.8.4, 2.0.0-alpha to 2.7.6, 0.23.0 to 0.23.11 is exploitable via the zip slip vulnerability in places that accept a zip file.
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv2:
  • Base Score: MEDIUM (6.5)
  • Vector: /AV:N/AC:L/Au:S/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (8.8)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2018-8029  

In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.8.4, a user who can escalate to yarn user can possibly run arbitrary commands as root user.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: HIGH (9.0)
  • Vector: /AV:N/AC:L/Au:S/C:C/I:C/A:C
CVSSv3:
  • Base Score: HIGH (8.8)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2020-9492  

In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.0, WebHDFS client might send SPNEGO authorization header to remote URL without proper verification.
CWE-269 Improper Privilege Management

CVSSv2:
  • Base Score: MEDIUM (6.5)
  • Vector: /AV:N/AC:L/Au:S/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (8.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

hadoop-mapreduce-client-common-2.7.5.jar

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.hadoop/hadoop-mapreduce-client-common/2.7.5/e00e1bc28345ada3a895556ff7a938e86aff6de5/hadoop-mapreduce-client-common-2.7.5.jar
MD5: a9e36e8a31413414e5795935e2b22f05
SHA1: e00e1bc28345ada3a895556ff7a938e86aff6de5
SHA256:2225a2b624cbd24945453ddc549ea8f140f897c739d923f675b33927f790d333
Referenced In Projects/Scopes:

  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • spark:runtimeClasspath

Identifiers

CVE-2017-15713  

Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and 3.0.0-alpha through 3.0.0-beta1 allows a cluster user to expose private files owned by the user running the MapReduce job history server process. The malicious user can construct a configuration file containing XML directives that reference sensitive files on the MapReduce job history server host.
CWE-200 Information Exposure

CVSSv2:
  • Base Score: MEDIUM (4.0)
  • Vector: /AV:N/AC:L/Au:S/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2018-11766  

In Apache Hadoop 2.7.4 to 2.7.6, the security fix for CVE-2016-6811 is incomplete. A user who can escalate to yarn user can possibly run arbitrary commands as root user.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: HIGH (9.0)
  • Vector: /AV:N/AC:L/Au:S/C:C/I:C/A:C
CVSSv3:
  • Base Score: HIGH (8.8)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions:

CVE-2018-11767  

In Apache Hadoop 2.9.0 to 2.9.1, 2.8.3 to 2.8.4, 2.7.5 to 2.7.6, KMS blocking users or granting access to users incorrectly, if the system uses non-default groups mapping mechanisms.
CWE-269 Improper Privilege Management

CVSSv2:
  • Base Score: MEDIUM (5.8)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:P
CVSSv3:
  • Base Score: HIGH (7.4)
  • Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2018-11768  

In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.0-alpha to 2.8.4, the user/group information can be corrupted across storing in fsimage and reading back from fsimage.
CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2018-1296  

In Apache Hadoop 3.0.0-alpha1 to 3.0.0, 2.9.0, 2.8.0 to 2.8.3, and 2.5.0 to 2.7.5, HDFS exposes extended attribute key/value pairs during listXAttrs, verifying only path-level search access to the directory rather than path-level read permission to the referent.
CWE-200 Information Exposure

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2018-8009  

Apache Hadoop 3.1.0, 3.0.0-alpha to 3.0.2, 2.9.0 to 2.9.1, 2.8.0 to 2.8.4, 2.0.0-alpha to 2.7.6, 0.23.0 to 0.23.11 is exploitable via the zip slip vulnerability in places that accept a zip file.
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv2:
  • Base Score: MEDIUM (6.5)
  • Vector: /AV:N/AC:L/Au:S/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (8.8)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2018-8029  

In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.8.4, a user who can escalate to yarn user can possibly run arbitrary commands as root user.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: HIGH (9.0)
  • Vector: /AV:N/AC:L/Au:S/C:C/I:C/A:C
CVSSv3:
  • Base Score: HIGH (8.8)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2020-9492  

In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.0, WebHDFS client might send SPNEGO authorization header to remote URL without proper verification.
CWE-269 Improper Privilege Management

CVSSv2:
  • Base Score: MEDIUM (6.5)
  • Vector: /AV:N/AC:L/Au:S/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (8.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

hadoop-mapreduce-client-core-2.7.5.jar

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.hadoop/hadoop-mapreduce-client-core/2.7.5/9897775c6c58d0d36692cca81851f6566bf2461c/hadoop-mapreduce-client-core-2.7.5.jar
MD5: 8d6eed0f8af6cb762aa949e28d309355
SHA1: 9897775c6c58d0d36692cca81851f6566bf2461c
SHA256:d125e74720f07be8d7c5792d1448cd81afbbf8e94b02c52adac57cb1c1ff80b0
Referenced In Projects/Scopes:

  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • spark:runtimeClasspath

Identifiers

CVE-2017-15713  

Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and 3.0.0-alpha through 3.0.0-beta1 allows a cluster user to expose private files owned by the user running the MapReduce job history server process. The malicious user can construct a configuration file containing XML directives that reference sensitive files on the MapReduce job history server host.
CWE-200 Information Exposure

CVSSv2:
  • Base Score: MEDIUM (4.0)
  • Vector: /AV:N/AC:L/Au:S/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2018-11766  

In Apache Hadoop 2.7.4 to 2.7.6, the security fix for CVE-2016-6811 is incomplete. A user who can escalate to yarn user can possibly run arbitrary commands as root user.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: HIGH (9.0)
  • Vector: /AV:N/AC:L/Au:S/C:C/I:C/A:C
CVSSv3:
  • Base Score: HIGH (8.8)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions:

CVE-2018-11767  

In Apache Hadoop 2.9.0 to 2.9.1, 2.8.3 to 2.8.4, 2.7.5 to 2.7.6, KMS blocking users or granting access to users incorrectly, if the system uses non-default groups mapping mechanisms.
CWE-269 Improper Privilege Management

CVSSv2:
  • Base Score: MEDIUM (5.8)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:P
CVSSv3:
  • Base Score: HIGH (7.4)
  • Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2018-11768  

In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.0-alpha to 2.8.4, the user/group information can be corrupted across storing in fsimage and reading back from fsimage.
CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2018-1296  

In Apache Hadoop 3.0.0-alpha1 to 3.0.0, 2.9.0, 2.8.0 to 2.8.3, and 2.5.0 to 2.7.5, HDFS exposes extended attribute key/value pairs during listXAttrs, verifying only path-level search access to the directory rather than path-level read permission to the referent.
CWE-200 Information Exposure

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2018-8009  

Apache Hadoop 3.1.0, 3.0.0-alpha to 3.0.2, 2.9.0 to 2.9.1, 2.8.0 to 2.8.4, 2.0.0-alpha to 2.7.6, 0.23.0 to 0.23.11 is exploitable via the zip slip vulnerability in places that accept a zip file.
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv2:
  • Base Score: MEDIUM (6.5)
  • Vector: /AV:N/AC:L/Au:S/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (8.8)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2018-8029  

In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.8.4, a user who can escalate to yarn user can possibly run arbitrary commands as root user.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: HIGH (9.0)
  • Vector: /AV:N/AC:L/Au:S/C:C/I:C/A:C
CVSSv3:
  • Base Score: HIGH (8.8)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2020-9492  

In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.0, WebHDFS client might send SPNEGO authorization header to remote URL without proper verification.
CWE-269 Improper Privilege Management

CVSSv2:
  • Base Score: MEDIUM (6.5)
  • Vector: /AV:N/AC:L/Au:S/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (8.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

hadoop-mapreduce-client-jobclient-2.7.5.jar

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.hadoop/hadoop-mapreduce-client-jobclient/2.7.5/3cb2761a5532223834eb920b79d71a90b941fffb/hadoop-mapreduce-client-jobclient-2.7.5.jar
MD5: 74383f3a8e972a2c0a94c05c8b4f24fe
SHA1: 3cb2761a5532223834eb920b79d71a90b941fffb
SHA256:8e82ee8e00211763818f1dc174a0b19ea0f9ef10f447acf1e91636bde0221d38
Referenced In Projects/Scopes:

  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • spark:runtimeClasspath

Identifiers

CVE-2017-15713  

Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and 3.0.0-alpha through 3.0.0-beta1 allows a cluster user to expose private files owned by the user running the MapReduce job history server process. The malicious user can construct a configuration file containing XML directives that reference sensitive files on the MapReduce job history server host.
CWE-200 Information Exposure

CVSSv2:
  • Base Score: MEDIUM (4.0)
  • Vector: /AV:N/AC:L/Au:S/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2018-11766  

In Apache Hadoop 2.7.4 to 2.7.6, the security fix for CVE-2016-6811 is incomplete. A user who can escalate to yarn user can possibly run arbitrary commands as root user.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: HIGH (9.0)
  • Vector: /AV:N/AC:L/Au:S/C:C/I:C/A:C
CVSSv3:
  • Base Score: HIGH (8.8)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions:

CVE-2018-11767  

In Apache Hadoop 2.9.0 to 2.9.1, 2.8.3 to 2.8.4, 2.7.5 to 2.7.6, KMS blocking users or granting access to users incorrectly, if the system uses non-default groups mapping mechanisms.
CWE-269 Improper Privilege Management

CVSSv2:
  • Base Score: MEDIUM (5.8)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:P
CVSSv3:
  • Base Score: HIGH (7.4)
  • Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2018-11768  

In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.0-alpha to 2.8.4, the user/group information can be corrupted across storing in fsimage and reading back from fsimage.
CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2018-1296  

In Apache Hadoop 3.0.0-alpha1 to 3.0.0, 2.9.0, 2.8.0 to 2.8.3, and 2.5.0 to 2.7.5, HDFS exposes extended attribute key/value pairs during listXAttrs, verifying only path-level search access to the directory rather than path-level read permission to the referent.
CWE-200 Information Exposure

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2018-8009  

Apache Hadoop 3.1.0, 3.0.0-alpha to 3.0.2, 2.9.0 to 2.9.1, 2.8.0 to 2.8.4, 2.0.0-alpha to 2.7.6, 0.23.0 to 0.23.11 is exploitable via the zip slip vulnerability in places that accept a zip file.
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv2:
  • Base Score: MEDIUM (6.5)
  • Vector: /AV:N/AC:L/Au:S/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (8.8)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2018-8029  

In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.8.4, a user who can escalate to yarn user can possibly run arbitrary commands as root user.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: HIGH (9.0)
  • Vector: /AV:N/AC:L/Au:S/C:C/I:C/A:C
CVSSv3:
  • Base Score: HIGH (8.8)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2020-9492  

In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.0, WebHDFS client might send SPNEGO authorization header to remote URL without proper verification.
CWE-269 Improper Privilege Management

CVSSv2:
  • Base Score: MEDIUM (6.5)
  • Vector: /AV:N/AC:L/Au:S/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (8.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

hadoop-mapreduce-client-shuffle-2.7.5.jar

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.hadoop/hadoop-mapreduce-client-shuffle/2.7.5/4deb0392a666f5f9e65af7458305d78099de8a19/hadoop-mapreduce-client-shuffle-2.7.5.jar
MD5: ba50093ef464d426d637cfb0061f1ab4
SHA1: 4deb0392a666f5f9e65af7458305d78099de8a19
SHA256:2f15ee20fa8158fe04e0fa3104e5095a54a881abfcea856ce58c23717d2fa456
Referenced In Projects/Scopes:

  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • spark:runtimeClasspath

Identifiers

CVE-2017-15713  

Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and 3.0.0-alpha through 3.0.0-beta1 allows a cluster user to expose private files owned by the user running the MapReduce job history server process. The malicious user can construct a configuration file containing XML directives that reference sensitive files on the MapReduce job history server host.
CWE-200 Information Exposure

CVSSv2:
  • Base Score: MEDIUM (4.0)
  • Vector: /AV:N/AC:L/Au:S/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2018-11766  

In Apache Hadoop 2.7.4 to 2.7.6, the security fix for CVE-2016-6811 is incomplete. A user who can escalate to yarn user can possibly run arbitrary commands as root user.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: HIGH (9.0)
  • Vector: /AV:N/AC:L/Au:S/C:C/I:C/A:C
CVSSv3:
  • Base Score: HIGH (8.8)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions:

CVE-2018-11767  

In Apache Hadoop 2.9.0 to 2.9.1, 2.8.3 to 2.8.4, 2.7.5 to 2.7.6, KMS blocking users or granting access to users incorrectly, if the system uses non-default groups mapping mechanisms.
CWE-269 Improper Privilege Management

CVSSv2:
  • Base Score: MEDIUM (5.8)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:P
CVSSv3:
  • Base Score: HIGH (7.4)
  • Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2018-11768  

In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.0-alpha to 2.8.4, the user/group information can be corrupted across storing in fsimage and reading back from fsimage.
CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2018-1296  

In Apache Hadoop 3.0.0-alpha1 to 3.0.0, 2.9.0, 2.8.0 to 2.8.3, and 2.5.0 to 2.7.5, HDFS exposes extended attribute key/value pairs during listXAttrs, verifying only path-level search access to the directory rather than path-level read permission to the referent.
CWE-200 Information Exposure

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2018-8009  

Apache Hadoop 3.1.0, 3.0.0-alpha to 3.0.2, 2.9.0 to 2.9.1, 2.8.0 to 2.8.4, 2.0.0-alpha to 2.7.6, 0.23.0 to 0.23.11 is exploitable via the zip slip vulnerability in places that accept a zip file.
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv2:
  • Base Score: MEDIUM (6.5)
  • Vector: /AV:N/AC:L/Au:S/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (8.8)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2018-8029  

In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.8.4, a user who can escalate to yarn user can possibly run arbitrary commands as root user.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: HIGH (9.0)
  • Vector: /AV:N/AC:L/Au:S/C:C/I:C/A:C
CVSSv3:
  • Base Score: HIGH (8.8)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2020-9492  

In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.0, WebHDFS client might send SPNEGO authorization header to remote URL without proper verification.
CWE-269 Improper Privilege Management

CVSSv2:
  • Base Score: MEDIUM (6.5)
  • Vector: /AV:N/AC:L/Au:S/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (8.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

hadoop-yarn-api-2.7.5.jar

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.hadoop/hadoop-yarn-api/2.7.5/7a78260a7a750bedb5019a58227f356d46caf829/hadoop-yarn-api-2.7.5.jar
MD5: 15e76f7c734b49315ef2bce952509ddf
SHA1: 7a78260a7a750bedb5019a58227f356d46caf829
SHA256:8ea58e3798d6b208fc29b56965788f5dbefd94514fd49331696ec8d85bf7077e
Referenced In Projects/Scopes:

  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • spark:runtimeClasspath

Identifiers

CVE-2017-15713  

Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and 3.0.0-alpha through 3.0.0-beta1 allows a cluster user to expose private files owned by the user running the MapReduce job history server process. The malicious user can construct a configuration file containing XML directives that reference sensitive files on the MapReduce job history server host.
CWE-200 Information Exposure

CVSSv2:
  • Base Score: MEDIUM (4.0)
  • Vector: /AV:N/AC:L/Au:S/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2018-11766  

In Apache Hadoop 2.7.4 to 2.7.6, the security fix for CVE-2016-6811 is incomplete. A user who can escalate to yarn user can possibly run arbitrary commands as root user.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: HIGH (9.0)
  • Vector: /AV:N/AC:L/Au:S/C:C/I:C/A:C
CVSSv3:
  • Base Score: HIGH (8.8)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions:

CVE-2018-11767  

In Apache Hadoop 2.9.0 to 2.9.1, 2.8.3 to 2.8.4, 2.7.5 to 2.7.6, KMS blocking users or granting access to users incorrectly, if the system uses non-default groups mapping mechanisms.
CWE-269 Improper Privilege Management

CVSSv2:
  • Base Score: MEDIUM (5.8)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:P
CVSSv3:
  • Base Score: HIGH (7.4)
  • Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2018-11768  

In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.0-alpha to 2.8.4, the user/group information can be corrupted across storing in fsimage and reading back from fsimage.
CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2018-1296  

In Apache Hadoop 3.0.0-alpha1 to 3.0.0, 2.9.0, 2.8.0 to 2.8.3, and 2.5.0 to 2.7.5, HDFS exposes extended attribute key/value pairs during listXAttrs, verifying only path-level search access to the directory rather than path-level read permission to the referent.
CWE-200 Information Exposure

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2018-8009  

Apache Hadoop 3.1.0, 3.0.0-alpha to 3.0.2, 2.9.0 to 2.9.1, 2.8.0 to 2.8.4, 2.0.0-alpha to 2.7.6, 0.23.0 to 0.23.11 is exploitable via the zip slip vulnerability in places that accept a zip file.
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv2:
  • Base Score: MEDIUM (6.5)
  • Vector: /AV:N/AC:L/Au:S/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (8.8)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2018-8029  

In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.8.4, a user who can escalate to yarn user can possibly run arbitrary commands as root user.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: HIGH (9.0)
  • Vector: /AV:N/AC:L/Au:S/C:C/I:C/A:C
CVSSv3:
  • Base Score: HIGH (8.8)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2020-9492  

In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.0, WebHDFS client might send SPNEGO authorization header to remote URL without proper verification.
CWE-269 Improper Privilege Management

CVSSv2:
  • Base Score: MEDIUM (6.5)
  • Vector: /AV:N/AC:L/Au:S/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (8.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

hadoop-yarn-client-2.7.5.jar

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.hadoop/hadoop-yarn-client/2.7.5/fef50595a9f088e9e410f22cd5894c607a804ecd/hadoop-yarn-client-2.7.5.jar
MD5: 2bf65a5f66646be45358c4fa36a8a25f
SHA1: fef50595a9f088e9e410f22cd5894c607a804ecd
SHA256:56dcc4815eaf58bff2bd51e1a24ffbab3e9e11f28a1746270fa50038aa33e94c
Referenced In Projects/Scopes:

  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • spark:runtimeClasspath

Identifiers

CVE-2017-15713  

Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and 3.0.0-alpha through 3.0.0-beta1 allows a cluster user to expose private files owned by the user running the MapReduce job history server process. The malicious user can construct a configuration file containing XML directives that reference sensitive files on the MapReduce job history server host.
CWE-200 Information Exposure

CVSSv2:
  • Base Score: MEDIUM (4.0)
  • Vector: /AV:N/AC:L/Au:S/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2018-11766  

In Apache Hadoop 2.7.4 to 2.7.6, the security fix for CVE-2016-6811 is incomplete. A user who can escalate to yarn user can possibly run arbitrary commands as root user.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: HIGH (9.0)
  • Vector: /AV:N/AC:L/Au:S/C:C/I:C/A:C
CVSSv3:
  • Base Score: HIGH (8.8)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions:

CVE-2018-11767  

In Apache Hadoop 2.9.0 to 2.9.1, 2.8.3 to 2.8.4, 2.7.5 to 2.7.6, KMS blocking users or granting access to users incorrectly, if the system uses non-default groups mapping mechanisms.
CWE-269 Improper Privilege Management

CVSSv2:
  • Base Score: MEDIUM (5.8)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:P
CVSSv3:
  • Base Score: HIGH (7.4)
  • Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2018-11768  

In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.0-alpha to 2.8.4, the user/group information can be corrupted across storing in fsimage and reading back from fsimage.
CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2018-1296  

In Apache Hadoop 3.0.0-alpha1 to 3.0.0, 2.9.0, 2.8.0 to 2.8.3, and 2.5.0 to 2.7.5, HDFS exposes extended attribute key/value pairs during listXAttrs, verifying only path-level search access to the directory rather than path-level read permission to the referent.
CWE-200 Information Exposure

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2018-8009  

Apache Hadoop 3.1.0, 3.0.0-alpha to 3.0.2, 2.9.0 to 2.9.1, 2.8.0 to 2.8.4, 2.0.0-alpha to 2.7.6, 0.23.0 to 0.23.11 is exploitable via the zip slip vulnerability in places that accept a zip file.
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv2:
  • Base Score: MEDIUM (6.5)
  • Vector: /AV:N/AC:L/Au:S/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (8.8)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2018-8029  

In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.8.4, a user who can escalate to yarn user can possibly run arbitrary commands as root user.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: HIGH (9.0)
  • Vector: /AV:N/AC:L/Au:S/C:C/I:C/A:C
CVSSv3:
  • Base Score: HIGH (8.8)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2020-9492  

In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.0, WebHDFS client might send SPNEGO authorization header to remote URL without proper verification.
CWE-269 Improper Privilege Management

CVSSv2:
  • Base Score: MEDIUM (6.5)
  • Vector: /AV:N/AC:L/Au:S/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (8.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

hadoop-yarn-common-2.7.5.jar

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.hadoop/hadoop-yarn-common/2.7.5/b642449750a8d0a51c4310b19264209e0e5c0fe9/hadoop-yarn-common-2.7.5.jar
MD5: 509be5651b2ff8951dd5e9decdf4cf7f
SHA1: b642449750a8d0a51c4310b19264209e0e5c0fe9
SHA256:2b104b70833cb6f97fcfe9555a93e43f0942068a3e1137a6adbf9d4c0ebbd539
Referenced In Projects/Scopes:

  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • spark:runtimeClasspath

Identifiers

CVE-2017-15713  

Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and 3.0.0-alpha through 3.0.0-beta1 allows a cluster user to expose private files owned by the user running the MapReduce job history server process. The malicious user can construct a configuration file containing XML directives that reference sensitive files on the MapReduce job history server host.
CWE-200 Information Exposure

CVSSv2:
  • Base Score: MEDIUM (4.0)
  • Vector: /AV:N/AC:L/Au:S/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2018-11766  

In Apache Hadoop 2.7.4 to 2.7.6, the security fix for CVE-2016-6811 is incomplete. A user who can escalate to yarn user can possibly run arbitrary commands as root user.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: HIGH (9.0)
  • Vector: /AV:N/AC:L/Au:S/C:C/I:C/A:C
CVSSv3:
  • Base Score: HIGH (8.8)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions:

CVE-2018-11767  

In Apache Hadoop 2.9.0 to 2.9.1, 2.8.3 to 2.8.4, 2.7.5 to 2.7.6, KMS blocking users or granting access to users incorrectly, if the system uses non-default groups mapping mechanisms.
CWE-269 Improper Privilege Management

CVSSv2:
  • Base Score: MEDIUM (5.8)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:P
CVSSv3:
  • Base Score: HIGH (7.4)
  • Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2018-11768  

In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.0-alpha to 2.8.4, the user/group information can be corrupted across storing in fsimage and reading back from fsimage.
CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2018-1296  

In Apache Hadoop 3.0.0-alpha1 to 3.0.0, 2.9.0, 2.8.0 to 2.8.3, and 2.5.0 to 2.7.5, HDFS exposes extended attribute key/value pairs during listXAttrs, verifying only path-level search access to the directory rather than path-level read permission to the referent.
CWE-200 Information Exposure

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2018-8009  

Apache Hadoop 3.1.0, 3.0.0-alpha to 3.0.2, 2.9.0 to 2.9.1, 2.8.0 to 2.8.4, 2.0.0-alpha to 2.7.6, 0.23.0 to 0.23.11 is exploitable via the zip slip vulnerability in places that accept a zip file.
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv2:
  • Base Score: MEDIUM (6.5)
  • Vector: /AV:N/AC:L/Au:S/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (8.8)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2018-8029  

In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.8.4, a user who can escalate to yarn user can possibly run arbitrary commands as root user.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: HIGH (9.0)
  • Vector: /AV:N/AC:L/Au:S/C:C/I:C/A:C
CVSSv3:
  • Base Score: HIGH (8.8)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2020-9492  

In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.0, WebHDFS client might send SPNEGO authorization header to remote URL without proper verification.
CWE-269 Improper Privilege Management

CVSSv2:
  • Base Score: MEDIUM (6.5)
  • Vector: /AV:N/AC:L/Au:S/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (8.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

hadoop-yarn-common-2.7.5.jar: jquery-1.8.2.min.js.gz: jquery-1.8.2.min.js

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.hadoop/hadoop-yarn-common/2.7.5/b642449750a8d0a51c4310b19264209e0e5c0fe9/hadoop-yarn-common-2.7.5.jar/webapps/static/jquery/jquery-1.8.2.min.js.gz/jquery-1.8.2.min.js
MD5: cfa9051cc0b05eb519f1e16b2a6645d7
SHA1: 149b5180cb9de3f646fc26802440a6ac6e758d40
SHA256:f23d4b309b72743aa8afe1f8c98a25b3ee31246fa572c66d9d8cb1982cae4fbc
Referenced In Projects/Scopes:

  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • spark:runtimeClasspath

Identifiers

CVE-2012-6708  

jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with the '<' character, limiting exploitability only to attackers who can control the beginning of a string, which is far less common.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions (NVD):

  • cpe:2.3:a:jquery:jquery:*:*:*:*:*:*:*:* versions up to (excluding) 1.9.0

CVE-2015-9251  

jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions (NVD):

  • cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:* versions from (including) 8.0.0; versions up to (including) 8.0.7
  • cpe:2.3:a:oracle:communications_webrtc_session_controller:*:*:*:*:*:*:*:* versions up to (excluding) 7.2
  • cpe:2.3:a:oracle:banking_platform:2.6.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:hospitality_guest_access:4.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:oss_support_tools:19.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.55:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:fusion_middleware_mapviewer:12.2.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_unifier:16.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_customer_insights:16.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:business_process_management_suite:12.1.3.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_hedge_management_and_ifrs_valuations:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7
  • cpe:2.3:a:oracle:business_process_management_suite:12.2.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:jquery:jquery:*:*:*:*:*:*:*:* versions up to (excluding) 3.0.0
  • cpe:2.3:a:oracle:endeca_information_discovery_studio:3.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:endeca_information_discovery_studio:3.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_platform:2.6.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_workforce_management_software:1.60.9:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:* versions from (including) 7.3.3; versions up to (including) 7.3.5
  • cpe:2.3:a:oracle:communications_converged_application_server:*:*:*:*:*:*:*:* versions up to (excluding) 7.0.0.1
  • cpe:2.3:a:oracle:healthcare_foundation:7.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_gateway:17.12:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_liquidity_risk_management:*:*:*:*:*:*:*:* versions from (including) 8.0.2; versions up to (including) 8.0.6
  • cpe:2.3:a:oracle:retail_allocation:15.0.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:business_process_management_suite:11.1.1.9.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jdeveloper:12.1.3.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:* versions from (including) 17.1; versions up to (including) 17.12
  • cpe:2.3:a:oracle:enterprise_manager_ops_center:12.3.3:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:hospitality_guest_access:4.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_gateway:16.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_services_gatekeeper:*:*:*:*:*:*:*:* versions up to (excluding) 6.1.0.4.0
  • cpe:2.3:a:oracle:hospitality_cruise_fleet_management:9.0.11:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:hospitality_materials_control:18.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:utilities_mobile_workforce_management:2.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:utilities_framework:*:*:*:*:*:*:*:* versions from (including) 4.3.0.1; versions up to (including) 4.3.0.4
  • cpe:2.3:a:oracle:retail_sales_audit:15.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_interactive_session_recorder:6.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:healthcare_translational_research:3.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:enterprise_operations_monitor:4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_reconciliation_framework:8.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_funds_transfer_pricing:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7
  • cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_loan_loss_forecasting_and_provisioning:*:*:*:*:*:*:*:* versions from (including) 8.0.2; versions up to (including) 8.0.7
  • cpe:2.3:a:oracle:retail_customer_insights:15.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:webcenter_sites:11.1.1.8.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:healthcare_foundation:7.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_gateway:15.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:service_bus:12.2.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:enterprise_operations_monitor:3.4:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:service_bus:12.1.3.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.3.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:hospitality_reporting_and_analytics:9.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jdeveloper:12.2.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:enterprise_manager_ops_center:12.2.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:real-time_scheduler:2.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_invoice_matching:15.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_platform:2.6.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_asset_liability_management:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7
  • cpe:2.3:a:oracle:primavera_unifier:16.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_data_integration_hub:*:*:*:*:*:*:*:* versions from (including) 8.0.5; versions up to (including) 8.0.7
  • cpe:2.3:a:oracle:weblogic_server:12.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_reconciliation_framework:8.0.5:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.5:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_unifier:18.8:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:weblogic_server:12.2.1.3:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_workforce_management_software:1.64.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:5.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:siebel_ui_framework:18.10:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_interactive_session_recorder:6.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:5.5:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.56:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jdeveloper:11.1.1.9.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_profitability_management:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.6
  • cpe:2.3:a:oracle:siebel_ui_framework:18.11:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_interactive_session_recorder:6.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:5.4:*:*:*:*:*:*:*

CVE-2019-11358  

jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions (NVD):

  • cpe:2.3:a:oracle:financial_services_liquidity_risk_management:8.0.5.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_billing_and_revenue_management:7.5:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:* versions from (including) 8.0.2; versions up to (including) 8.1.0
  • cpe:2.3:a:oracle:healthcare_translational_research:3.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_data_foundation:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.8
  • cpe:2.3:a:oracle:jdeveloper_and_adf:12.1.3.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_element_manager:8.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.55:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_unifier:16.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:19.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:bi_publisher:12.2.1.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_customer_insights:16.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:siebel_ui_framework:20.8:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_digital_experience:18.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jdeveloper_and_adf:12.2.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:redhat:virtualization_manager:4.3:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:application_express:*:*:*:*:*:*:*:* versions up to (excluding) 19.1
  • cpe:2.3:a:oracle:application_testing_suite:13.1.0.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from (including) 19.12.0; versions up to (including) 19.12.4
  • cpe:2.3:a:oracle:healthcare_foundation:7.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:* versions from (including) 17.7; versions up to (including) 17.12
  • cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:diagnostic_assistant:2.12.36:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_session_report_manager:8.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:policy_automation:10.4.7:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:knowledge:*:*:*:*:*:*:*:* versions from (including) 8.6.0; versions up to (including) 8.6.3
  • cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_basic:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7
  • cpe:2.3:a:oracle:banking_digital_experience:18.3:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_liquidity_risk_management:8.0.0.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:healthcare_foundation:7.2.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_regulatory_reporting_for_de_nederlandsche_bank:8.0.4:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_operations_monitor:4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:healthcare_translational_research:3.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:transportation_management:1.4.3:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_loan_loss_forecasting_and_provisioning:*:*:*:*:*:*:*:* versions from (including) 8.0.2; versions up to (including) 8.0.7
  • cpe:2.3:a:redhat:cloudforms:4.7:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_revenue_management_and_billing:2.4.0.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:insurance_ifrs_17_analyzer:8.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:application_service_level_management:13.2.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:service_bus:12.2.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_liquidity_risk_management:8.0.4.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:service_bus:12.1.3.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_operations_monitor:3.4:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:rest_data_services:12.2.0.1:*:*:*:-:*:*:*
  • cpe:2.3:a:oracle:financial_services_asset_liability_management:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7
  • cpe:2.3:a:oracle:application_testing_suite:13.3:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_session_route_manager:8.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.5:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_unifier:18.8:*:*:*:*:*:*:*
  • cpe:2.3:a:backdropcms:backdrop:*:*:*:*:*:*:*:* versions from (including) 1.11.0; versions up to (excluding) 1.11.9
  • cpe:2.3:a:oracle:real-time_scheduler:*:*:*:*:*:*:*:* versions from (including) 2.3.0.1; versions up to (including) 2.3.0.3
  • cpe:2.3:a:oracle:jdeveloper_and_adf:11.1.1.9.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_retail_customer_analytics:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.6
  • cpe:2.3:a:oracle:service_bus:11.1.1.9.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:weblogic_server:12.1.3.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_liquidity_risk_measurement_and_management:8.0.8:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_digital_experience:19.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:healthcare_foundation:7.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:business_process_management_suite:12.2.1.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_central_office:14.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_regulatory_reporting_for_european_banking_authority:8.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_returns_management:14.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_regulatory_reporting_for_european_banking_authority:8.0.7:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_internal_ratings_based_approach:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7
  • cpe:2.3:a:oracle:enterprise_manager_ops_center:12.4.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_profitability_management:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_institutional_performance_analytics:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7
  • cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:*:*:*:*:*:*:*:* versions from (including) 5.0.0.0; versions up to (including) 5.6.0.0
  • cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_analytical_applications_reconciliation_framework:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7
  • cpe:2.3:a:oracle:communications_application_session_controller:3.8m0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:business_process_management_suite:12.2.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_diameter_signaling_router:8.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_session_report_manager:8.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:* versions from (including) 7.3.3; versions up to (including) 7.3.5
  • cpe:2.3:a:oracle:financial_services_price_creation_and_discovery:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7
  • cpe:2.3:a:oracle:rest_data_services:18c:*:*:*:-:*:*:*
  • cpe:2.3:a:oracle:communications_session_report_manager:8.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:18.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:enterprise_manager_ops_center:12.3.3:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_enterprise_financial_performance_analytics:8.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_analytics:12.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_liquidity_risk_measurement_and_management:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:hospitality_guest_access:4.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_point-of-service:14.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_retail_performance_analytics:8.0.7:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:policy_automation:12.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:hospitality_materials_control:18.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:5.6.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_billing_and_revenue_management:7.5.0.23.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_unified_inventory_management:7.3:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_funds_transfer_pricing:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7
  • cpe:2.3:a:oracle:retail_back_office:14.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:rest_data_services:12.1.0.2:*:*:*:-:*:*:*
  • cpe:2.3:a:oracle:healthcare_translational_research:3.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:policy_automation_connector_for_siebel:10.4.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:hospitality_simphony:*:*:*:*:*:*:*:* versions from (including) 19.1.0; versions up to (including) 19.1.2
  • cpe:2.3:a:oracle:policy_automation_for_mobile_devices:*:*:*:*:*:*:*:* versions from (including) 12.2.0; versions up to (including) 12.2.15
  • cpe:2.3:a:oracle:hospitality_simphony:18.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_unifier:16.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:application_service_level_management:13.3.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:application_testing_suite:13.2.0.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:webcenter_sites:12.2.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 8.6.0; versions up to (excluding) 8.6.15
  • cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:healthcare_translational_research:3.3.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.56:*:*:*:*:*:*:*
  • cpe:2.3:a:jquery:jquery:*:*:*:*:*:*:*:* versions up to (excluding) 3.4.0
  • cpe:2.3:a:oracle:communications_interactive_session_recorder:*:*:*:*:*:*:*:* versions from (including) 6.0; versions up to (including) 6.4
  • cpe:2.3:a:oracle:communications_session_route_manager:8.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_diameter_signaling_router:8.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_loan_loss_forecasting_and_provisioning:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_digital_experience:18.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_hedge_management_and_ifrs_valuations:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7
  • cpe:2.3:a:oracle:financial_services_data_integration_hub:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_element_manager:8.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:application_testing_suite:12.5.0.3:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:policy_automation:12.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:application_testing_suite:13.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_operations_monitor:4.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_diameter_signaling_router:8.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:storagetek_tape_analytics_sw_tool:2.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:insurance_performance_insight:8.0.7:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_platform:*:*:*:*:*:*:*:* versions from (including) 2.4.0; versions up to (including) 2.10.0
  • cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from (including) 16.2.0; versions up to (including) 16.2.11
  • cpe:2.3:a:oracle:communications_billing_and_revenue_management:12.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from (including) 17.12.0; versions up to (including) 17.12.7
  • cpe:2.3:a:oracle:jdeveloper:12.2.1.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_point-of-service:14.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_enterprise_financial_performance_analytics:8.0.7:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:rest_data_services:11.2.0.4:*:*:*:-:*:*:*
  • cpe:2.3:a:oracle:insurance_allocation_manager_for_enterprise_profitability:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:policy_automation:*:*:*:*:*:*:*:* versions from (including) 12.2.0; versions up to (including) 12.2.15
  • cpe:2.3:a:oracle:retail_customer_insights:15.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_profitability_management:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7
  • cpe:2.3:a:oracle:big_data_discovery:1.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:insurance_ifrs_17_analyzer:8.0.7:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_liquidity_risk_measurement_and_management:8.0.7:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.8:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:insurance_allocation_manager_for_enterprise_profitability:8.0.8:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_data_governance_for_us_regulatory_reporting:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.0.9
  • cpe:2.3:a:oracle:weblogic_server:10.3.6.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_enterprise_collections:*:*:*:*:*:*:*:* versions from (including) 2.7.0; versions up to (including) 2.8.0
  • cpe:2.3:a:oracle:system_utilities:19.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_digital_experience:20.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:tape_library_acsls:8.5.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:healthcare_foundation:7.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_revenue_management_and_billing:2.4.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from (including) 18.8.0; versions up to (including) 18.8.9
  • cpe:2.3:a:oracle:retail_returns_management:14.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:application_testing_suite:13.3.0.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_basic:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_digital_experience:19.1:*:*:*:*:*:*:*
  • cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 7.0; versions up to (excluding) 7.66
  • cpe:2.3:a:oracle:rest_data_services:19c:*:*:*:-:*:*:*
  • cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_central_office:14.1:*:*:*:*:*:*:*
  • cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 8.5.0; versions up to (excluding) 8.5.15
  • cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:insurance_data_foundation:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7
  • cpe:2.3:a:netapp:oncommand_system_manager:*:*:*:*:*:*:*:* versions from (including) 3.0; versions up to (including) 3.1.3
  • cpe:2.3:a:oracle:hospitality_guest_access:4.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:fusion_middleware_mapviewer:12.2.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:enterprise_session_border_controller:8.4:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_funds_transfer_pricing:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:insurance_accounting_analyzer:8.0.9:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_retail_performance_analytics:8.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_session_route_manager:8.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_diameter_signaling_router:8.2:*:*:*:*:*:*:*
  • cpe:2.3:a:backdropcms:backdrop:*:*:*:*:*:*:*:* versions from (including) 1.12.0; versions up to (excluding) 1.12.6
  • cpe:2.3:a:oracle:communications_element_manager:8.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_gateway:15.2.18:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_regulatory_reporting_for_us_federal_reserve:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7
  • cpe:2.3:a:oracle:financial_services_liquidity_risk_management:8.0.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_analytical_applications_reconciliation_framework:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_webrtc_session_controller:7.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:enterprise_manager_ops_center:12.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_asset_liability_management:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:hospitality_simphony:18.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_hedge_management_and_ifrs_valuations:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_institutional_performance_analytics:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jdeveloper:12.2.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_balance_sheet_planning:8.0.8:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_data_integration_hub:*:*:*:*:*:*:*:* versions from (including) 8.0.5; versions up to (including) 8.0.7
  • cpe:2.3:a:oracle:communications_operations_monitor:*:*:*:*:*:*:*:* versions from (including) 4.1; versions up to (including) 4.3
  • cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_billing_and_revenue_management:12.0.0.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_internal_ratings_based_approach:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:bi_publisher:5.5.0.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:bi_publisher:12.2.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_liquidity_risk_management:8.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:opensuse:backports_sle:15.0:sp1:*:*:*:*:*:*
  • cpe:2.3:a:oracle:tape_library_acsls:8.5:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:siebel_mobile_applications:*:*:*:*:*:*:*:* versions up to (including) 19.8
  • cpe:2.3:a:oracle:retail_back_office:14.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jdeveloper:11.1.1.9.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:healthcare_translational_research:3.3.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:utilities_mobile_workforce_management:*:*:*:*:*:*:*:* versions from (including) 2.3.0.1; versions up to (including) 2.3.0.3

CVE-2020-11022  

In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions (NVD):

  • cpe:2.3:a:oracle:financial_services_price_creation_and_discovery:8.0.7:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:agile_product_supplier_collaboration_for_process:6.2.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_loan_loss_forecasting_and_provisioning:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:19.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:siebel_ui_framework:20.8:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_digital_experience:18.2:*:*:*:*:*:*:*
  • cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_digital_experience:18.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_data_integration_hub:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_regulatory_reporting_for_european_banking_authority:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.1.0
  • cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 8.8.0; versions up to (excluding) 8.8.6
  • cpe:2.3:a:oracle:financial_services_price_creation_and_discovery:8.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:healthcare_foundation:7.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_institutional_performance_analytics:8.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_profitability_management:8.0.7:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jdeveloper:12.2.1.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_institutional_performance_analytics:8.0.7:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_profitability_management:8.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_digital_experience:18.3:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:insurance_allocation_manager_for_enterprise_profitability:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_asset_liability_management:8.0.7:*:*:*:*:*:*:*
  • cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 7.0; versions up to (excluding) 7.70
  • cpe:2.3:a:oracle:policy_automation_for_mobile_devices:*:*:*:*:*:*:*:* versions from (including) 12.2.0; versions up to (including) 12.2.20
  • cpe:2.3:a:oracle:financial_services_liquidity_risk_measurement_and_management:8.0.7:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.8:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:insurance_allocation_manager_for_enterprise_profitability:8.0.8:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_data_governance_for_us_regulatory_reporting:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.0.9
  • cpe:2.3:a:oracle:weblogic_server:10.3.6.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_digital_experience:20.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:healthcare_foundation:7.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_analytical_applications_reconciliation_framework:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.0.8
  • cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_internal_ratings_based_approach:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.0.8
  • cpe:2.3:a:oracle:retail_returns_management:14.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:weblogic_server:12.1.3.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_liquidity_risk_measurement_and_management:8.0.8:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_digital_experience:19.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:healthcare_foundation:7.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:application_testing_suite:13.3.0.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:* versions from (including) 8.0.6.0.0; versions up to (including) 8.1.0.0.0
  • cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_basic:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_digital_experience:19.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_returns_management:14.0:*:*:*:*:*:*:*
  • cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:*:*:*
  • cpe:2.3:a:netapp:snap_creator_framework:-:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:enterprise_manager_ops_center:12.4.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_regulatory_reporting_for_us_federal_reserve:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.0.9
  • cpe:2.3:a:oracle:financial_services_profitability_management:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:*:*:*:*:*:*:*:* versions from (including) 5.0.0.0; versions up to (including) 5.6.0.0
  • cpe:2.3:a:netapp:max_data:-:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:insurance_data_foundation:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.1.0
  • cpe:2.3:a:netapp:oncommand_system_manager:*:*:*:*:*:*:*:* versions from (including) 3.0; versions up to (including) 3.1.3
  • cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:enterprise_session_border_controller:8.4:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:healthcare_foundation:7.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_funds_transfer_pricing:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_application_session_controller:3.8m0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_basic:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.0.8
  • cpe:2.3:a:oracle:insurance_accounting_analyzer:8.0.9:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_hedge_management_and_ifrs_valuations:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.0.8
  • cpe:2.3:a:oracle:financial_services_liquidity_risk_measurement_and_management:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_asset_liability_management:8.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:hospitality_materials_control:18.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:5.6.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_billing_and_revenue_management:7.5.0.23.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:policy_automation:*:*:*:*:*:*:*:* versions from (including) 12.2.0; versions up to (including) 12.2.20
  • cpe:2.3:a:oracle:communications_diameter_signaling_router_idih\::*:*:*:*:*:*:*:* versions from (including) 8.0.0; versions up to (including) 8.2.2
  • cpe:2.3:a:oracle:financial_services_funds_transfer_pricing:8.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_analytical_applications_reconciliation_framework:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_back_office:14.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_webrtc_session_controller:7.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:policy_automation_connector_for_siebel:10.4.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_asset_liability_management:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:hospitality_simphony:*:*:*:*:*:*:*:* versions from (including) 19.1.0; versions up to (including) 19.1.2
  • cpe:2.3:a:oracle:hospitality_simphony:18.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_hedge_management_and_ifrs_valuations:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_institutional_performance_analytics:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jdeveloper:12.2.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_balance_sheet_planning:8.0.8:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_loan_loss_forecasting_and_provisioning:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.0.8
  • cpe:2.3:a:oracle:hospitality_simphony:18.2:*:*:*:*:*:*:*
  • cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 8.7.0; versions up to (excluding) 8.7.14
  • cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_billing_and_revenue_management:12.0.0.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_funds_transfer_pricing:8.0.7:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_internal_ratings_based_approach:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_liquidity_risk_management:8.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.56:*:*:*:*:*:*:*
  • cpe:2.3:a:jquery:jquery:*:*:*:*:*:*:*:* versions from (including) 1.2; versions up to (excluding) 3.5.0
  • cpe:2.3:a:oracle:financial_services_data_integration_hub:8.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_back_office:14.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jdeveloper:11.1.1.9.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_data_integration_hub:8.0.7:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_data_foundation:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.1.0

CVE-2020-11023  

In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing <option> elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions (NVD):

  • cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:healthcare_translational_research:3.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_element_manager:8.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:netapp:max_data:-:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_session_route_manager:8.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:netapp:oncommand_system_manager:*:*:*:*:*:*:*:* versions from (including) 3.0; versions up to (including) 3.1.3
  • cpe:2.3:a:netapp:snapcenter_server:-:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jd_edwards_enterpriseone_orchestrator:*:*:*:*:*:*:*:* versions up to (excluding) 9.2.5.0
  • cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:siebel_mobile:*:*:*:*:*:*:*:* versions up to (including) 20.12
  • cpe:2.3:a:oracle:hyperion_financial_reporting:11.1.2.4:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_session_report_manager:8.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_element_manager:8.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 8.8.0; versions up to (excluding) 8.8.6
  • cpe:2.3:a:oracle:communications_session_route_manager:8.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from (including) 16.2; versions up to (including) 16.2.11
  • cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from (including) 19.12.0; versions up to (including) 19.12.4
  • cpe:2.3:a:oracle:rest_data_services:18c:*:*:*:-:*:*:*
  • cpe:2.3:a:oracle:communications_element_manager:8.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_session_report_manager:8.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_platform:*:*:*:*:*:*:*:* versions from (including) 2.4.0; versions up to (including) 2.10.0
  • cpe:2.3:a:oracle:communications_analytics:12.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_session_report_manager:8.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from (including) 17.12.0; versions up to (including) 17.12.7
  • cpe:2.3:a:jquery:jquery:*:*:*:*:*:*:*:* versions from (including) 1.0.3; versions up to (excluding) 3.5.0
  • cpe:2.3:a:oracle:rest_data_services:11.2.0.4:*:*:*:-:*:*:*
  • cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:*:*:*:*:*:*:*:* versions up to (excluding) 9.2.5.0
  • cpe:2.3:a:oracle:financial_services_regulatory_reporting_for_de_nederlandsche_bank:8.0.4:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:storagetek_tape_analytics_sw_tool:2.3.1:*:*:*:*:*:*:*
  • cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 7.0; versions up to (excluding) 7.70
  • cpe:2.3:a:oracle:rest_data_services:12.1.0.2:*:*:*:-:*:*:*
  • cpe:2.3:a:oracle:healthcare_translational_research:3.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_operations_monitor:3.4:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:rest_data_services:12.2.0.1:*:*:*:-:*:*:*
  • cpe:2.3:a:oracle:banking_enterprise_collections:*:*:*:*:*:*:*:* versions from (including) 2.7.0; versions up to (including) 2.8.0
  • cpe:2.3:a:oracle:communications_session_route_manager:8.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 8.7.0; versions up to (excluding) 8.7.14
  • cpe:2.3:a:oracle:communications_operations_monitor:*:*:*:*:*:*:*:* versions from (including) 4.1; versions up to (including) 4.3
  • cpe:2.3:a:oracle:webcenter_sites:12.2.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:webcenter_sites:12.2.1.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:peoplesoft_enterprise_human_capital_management_resources:9.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from (including) 18.8.0; versions up to (including) 18.8.9
  • cpe:2.3:a:oracle:weblogic_server:12.1.3.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:healthcare_translational_research:3.3.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:application_express:*:*:*:*:*:*:*:* versions up to (excluding) 20.2
  • cpe:2.3:a:oracle:application_testing_suite:13.3.0.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:healthcare_translational_research:3.3.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_interactive_session_recorder:*:*:*:*:*:*:*:* versions from (including) 6.1; versions up to (including) 6.4
  • cpe:2.3:a:oracle:rest_data_services:19c:*:*:*:-:*:*:*
  • cpe:2.3:a:netapp:snap_creator_framework:-:*:*:*:*:*:*:*

hadoop-yarn-common-2.7.5.jar: jquery-ui-1.9.1.custom.min.js.gz: jquery-ui-1.9.1.custom.min.js

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.hadoop/hadoop-yarn-common/2.7.5/b642449750a8d0a51c4310b19264209e0e5c0fe9/hadoop-yarn-common-2.7.5.jar/webapps/static/jquery/jquery-ui-1.9.1.custom.min.js.gz/jquery-ui-1.9.1.custom.min.js
MD5: ab92e49c769e9593ff52cbdb48a9dd03
SHA1: 43751816cc0b6480e8fb3b2398952d6a865e8b89
SHA256:1fb0b66548624c8cf9ebf2d0c81970910ab0c8031a8ada6f8e6f884114344e8d
Referenced In Projects/Scopes:

  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • spark:runtimeClasspath

Identifiers

CVE-2010-5312  

Cross-site scripting (XSS) vulnerability in jquery.ui.dialog.js in the Dialog widget in jQuery UI before 1.10.0 allows remote attackers to inject arbitrary web script or HTML via the title option.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N

References:

Vulnerable Software & Versions (NVD):

  • cpe:2.3:a:jquery:jquery_ui:*:*:*:*:*:*:*:* versions up to (excluding) 1.10.0

CVE-2016-7103  

Cross-site scripting (XSS) vulnerability in jQuery UI before 1.12.0 might allow remote attackers to inject arbitrary web script or HTML via the closeText parameter of the dialog function.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions (NVD):

  • cpe:2.3:a:oracle:weblogic_server:10.3.6.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:application_express:*:*:*:*:*:*:*:* versions up to (excluding) 19.1
  • cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:* versions from (including) 16.0; versions up to (including) 16.2
  • cpe:2.3:a:redhat:openstack:7.0:*:*:*:*:*:*:*
  • cpe:2.3:a:redhat:openstack:9.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:* versions from (including) 18.0; versions up to (including) 18.8.4
  • cpe:2.3:a:redhat:openstack:8.0:*:*:*:*:*:*:*
  • cpe:2.3:a:jquery:jquery_ui:*:*:*:*:*:*:*:* versions from (including) 1.10.0; versions up to (including) 1.11.4
  • cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:weblogic_server:12.1.3.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:jquery:jquery_ui:1.10.0:beta1:*:*:*:*:*:*
  • cpe:2.3:a:jquery:jquery_ui:1.10.0:rc1:*:*:*:*:*:*
  • cpe:2.3:a:oracle:business_intelligence:12.2.1.3.0:*:*:*:enterprise:*:*:*
  • cpe:2.3:a:oracle:business_intelligence:12.2.1.4.0:*:*:*:enterprise:*:*:*
  • cpe:2.3:a:oracle:hospitality_cruise_fleet_management:9.0.11:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:* versions from (including) 17.0; versions up to (including) 17.12.4
  • cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:*:*:*

hadoop-yarn-common-2.7.5.jar: jquery.dataTables.min.js.gz: jquery.dataTables.min.js

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.hadoop/hadoop-yarn-common/2.7.5/b642449750a8d0a51c4310b19264209e0e5c0fe9/hadoop-yarn-common-2.7.5.jar/webapps/static/dt-1.9.4/js/jquery.dataTables.min.js.gz/jquery.dataTables.min.js
MD5: dd02e31cea8b6f07d665e5a0d0b53f50
SHA1: 98c517335f66552467f2372e1cd650f93cbffeaf
SHA256:1783d49bec463c334d276a72d3b239f6366f6487c2e77e544838e8c6dcc657d9
Referenced In Projects/Scopes:

  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • spark:runtimeClasspath

Identifiers

  • None

hadoop-yarn-common-2.7.5.jar: jquery.jstree.js.gz: jquery.jstree.js

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.hadoop/hadoop-yarn-common/2.7.5/b642449750a8d0a51c4310b19264209e0e5c0fe9/hadoop-yarn-common-2.7.5.jar/webapps/static/jt/jquery.jstree.js.gz/jquery.jstree.js
MD5: 90107823a51eda2bbe77a6b2baac3466
SHA1: 89944976806fcac399356f8d698952473f936489
SHA256:9dcb812e3e7f2c38f0c93a37e4aa923ce3a74ab65a97656957ff3fb780baf3d0
Referenced In Projects/Scopes:

  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • spark:runtimeClasspath

Identifiers

  • None

hadoop-yarn-common-2.7.5.jar: natural.js

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.hadoop/hadoop-yarn-common/2.7.5/b642449750a8d0a51c4310b19264209e0e5c0fe9/hadoop-yarn-common-2.7.5.jar/webapps/static/dt-sorting/natural.js
MD5: 6119b176fc9ded71d13d2d9e4b166ba9
SHA1: 2f5ecc90d7e4a8d6922c345cadf4952be2eb0d6d
SHA256:7abeaadbaef39a5a540701143e8bdc05a82be5030b69eb03373d3b7a84c0225f
Referenced In Projects/Scopes:

  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • spark:runtimeClasspath

Identifiers

  • None

hadoop-yarn-common-2.7.5.jar: yarn.dt.plugins.js

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.hadoop/hadoop-yarn-common/2.7.5/b642449750a8d0a51c4310b19264209e0e5c0fe9/hadoop-yarn-common-2.7.5.jar/webapps/static/yarn.dt.plugins.js
MD5: 92892ffa06992a58682b3df403910d8f
SHA1: 6c45673282b91be2d21977d3ffb53797179e4854
SHA256:f3b3e49f23c491bbd0d3e15fbd1a7e60315e6cac4c2e8ba7be7ab1c058880ba1
Referenced In Projects/Scopes:

  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • spark:runtimeClasspath

Identifiers

  • None

hadoop-yarn-server-common-2.7.5.jar

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.hadoop/hadoop-yarn-server-common/2.7.5/98323db28aff7e0d5b1729450086eb215cdf1ee7/hadoop-yarn-server-common-2.7.5.jar
MD5: 65aa76b3b6a5a1d400429a73466c1313
SHA1: 98323db28aff7e0d5b1729450086eb215cdf1ee7
SHA256:036afa26ddb37718f5eb2923a4b0f90b50a9a65b9320997870d5272ffa7b3c59
Referenced In Projects/Scopes:

  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • spark:runtimeClasspath

Identifiers

CVE-2017-15713  

Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and 3.0.0-alpha through 3.0.0-beta1 allows a cluster user to expose private files owned by the user running the MapReduce job history server process. The malicious user can construct a configuration file containing XML directives that reference sensitive files on the MapReduce job history server host.
CWE-200 Information Exposure

CVSSv2:
  • Base Score: MEDIUM (4.0)
  • Vector: /AV:N/AC:L/Au:S/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2018-11766  

In Apache Hadoop 2.7.4 to 2.7.6, the security fix for CVE-2016-6811 is incomplete. A user who can escalate to yarn user can possibly run arbitrary commands as root user.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: HIGH (9.0)
  • Vector: /AV:N/AC:L/Au:S/C:C/I:C/A:C
CVSSv3:
  • Base Score: HIGH (8.8)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions:

CVE-2018-11767  

In Apache Hadoop 2.9.0 to 2.9.1, 2.8.3 to 2.8.4, 2.7.5 to 2.7.6, KMS blocking users or granting access to users incorrectly, if the system uses non-default groups mapping mechanisms.
CWE-269 Improper Privilege Management

CVSSv2:
  • Base Score: MEDIUM (5.8)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:P
CVSSv3:
  • Base Score: HIGH (7.4)
  • Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2018-11768  

In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.0-alpha to 2.8.4, the user/group information can be corrupted across storing in fsimage and reading back from fsimage.
CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2018-1296  

In Apache Hadoop 3.0.0-alpha1 to 3.0.0, 2.9.0, 2.8.0 to 2.8.3, and 2.5.0 to 2.7.5, HDFS exposes extended attribute key/value pairs during listXAttrs, verifying only path-level search access to the directory rather than path-level read permission to the referent.
CWE-200 Information Exposure

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2018-8009  

Apache Hadoop 3.1.0, 3.0.0-alpha to 3.0.2, 2.9.0 to 2.9.1, 2.8.0 to 2.8.4, 2.0.0-alpha to 2.7.6, 0.23.0 to 0.23.11 is exploitable via the zip slip vulnerability in places that accept a zip file.
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv2:
  • Base Score: MEDIUM (6.5)
  • Vector: /AV:N/AC:L/Au:S/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (8.8)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2018-8029  

In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.8.4, a user who can escalate to yarn user can possibly run arbitrary commands as root user.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: HIGH (9.0)
  • Vector: /AV:N/AC:L/Au:S/C:C/I:C/A:C
CVSSv3:
  • Base Score: HIGH (8.8)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2020-9492  

In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.0, WebHDFS client might send SPNEGO authorization header to remote URL without proper verification.
CWE-269 Improper Privilege Management

CVSSv2:
  • Base Score: MEDIUM (6.5)
  • Vector: /AV:N/AC:L/Au:S/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (8.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

hadoop-yarn-server-nodemanager-2.7.5.jar

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.hadoop/hadoop-yarn-server-nodemanager/2.7.5/719fff671d727354f70868011da6de37ee537732/hadoop-yarn-server-nodemanager-2.7.5.jar
MD5: 8bb068230f552e036c3a13c3b54a4aae
SHA1: 719fff671d727354f70868011da6de37ee537732
SHA256:f84fb2d4f20f7d0c8800a150947d6941dd5fd39bf819e58cf57ea37d0b5c7eab
Referenced In Projects/Scopes:

  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • spark:runtimeClasspath

Identifiers

CVE-2017-15713  

Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and 3.0.0-alpha through 3.0.0-beta1 allows a cluster user to expose private files owned by the user running the MapReduce job history server process. The malicious user can construct a configuration file containing XML directives that reference sensitive files on the MapReduce job history server host.
CWE-200 Information Exposure

CVSSv2:
  • Base Score: MEDIUM (4.0)
  • Vector: /AV:N/AC:L/Au:S/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2018-11766  

In Apache Hadoop 2.7.4 to 2.7.6, the security fix for CVE-2016-6811 is incomplete. A user who can escalate to yarn user can possibly run arbitrary commands as root user.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: HIGH (9.0)
  • Vector: /AV:N/AC:L/Au:S/C:C/I:C/A:C
CVSSv3:
  • Base Score: HIGH (8.8)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions:

CVE-2018-11767  

In Apache Hadoop 2.9.0 to 2.9.1, 2.8.3 to 2.8.4, 2.7.5 to 2.7.6, KMS blocking users or granting access to users incorrectly, if the system uses non-default groups mapping mechanisms.
CWE-269 Improper Privilege Management

CVSSv2:
  • Base Score: MEDIUM (5.8)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:P
CVSSv3:
  • Base Score: HIGH (7.4)
  • Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2018-11768  

In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.0-alpha to 2.8.4, the user/group information can be corrupted across storing in fsimage and reading back from fsimage.
CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2018-1296  

In Apache Hadoop 3.0.0-alpha1 to 3.0.0, 2.9.0, 2.8.0 to 2.8.3, and 2.5.0 to 2.7.5, HDFS exposes extended attribute key/value pairs during listXAttrs, verifying only path-level search access to the directory rather than path-level read permission to the referent.
CWE-200 Information Exposure

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2018-8009  

Apache Hadoop 3.1.0, 3.0.0-alpha to 3.0.2, 2.9.0 to 2.9.1, 2.8.0 to 2.8.4, 2.0.0-alpha to 2.7.6, 0.23.0 to 0.23.11 is exploitable via the zip slip vulnerability in places that accept a zip file.
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv2:
  • Base Score: MEDIUM (6.5)
  • Vector: /AV:N/AC:L/Au:S/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (8.8)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2018-8029  

In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.8.4, a user who can escalate to yarn user can possibly run arbitrary commands as root user.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: HIGH (9.0)
  • Vector: /AV:N/AC:L/Au:S/C:C/I:C/A:C
CVSSv3:
  • Base Score: HIGH (8.8)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2020-9492  

In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.0, WebHDFS client might send SPNEGO authorization header to remote URL without proper verification.
CWE-269 Improper Privilege Management

CVSSv2:
  • Base Score: MEDIUM (6.5)
  • Vector: /AV:N/AC:L/Au:S/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (8.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

hamcrest-2.1.jar

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.hamcrest/hamcrest/2.1/9420ba32c29217b54eebd26ff7f9234d31c3fbb2/hamcrest-2.1.jar
MD5: a139bcc7cb0c2eff7e9f9733a58d5bdd
SHA1: 9420ba32c29217b54eebd26ff7f9234d31c3fbb2
SHA256:ba93b2e3a562322ba432f0a1b53addcc55cb188253319a020ed77f824e692050
Referenced In Projects/Scopes:

  • piglet:compileClasspath
  • piglet:runtimeClasspath
  • calcite:sqllineClasspath
  • pig:runtimeClasspath
  • piglet:default
  • pig:default
  • pig:compileClasspath

Identifiers

hamcrest-core-2.1.jar

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.hamcrest/hamcrest-core/2.1/70dd49dea4507315b1fa3bc1aa59b1442d55957a/hamcrest-core-2.1.jar
MD5: c0e187c67e3a7910d5d54894964cc195
SHA1: 70dd49dea4507315b1fa3bc1aa59b1442d55957a
SHA256:e09109e54a289d88506b9bfec987ddd199f4217c9464132668351b9a4f00bee9
Referenced In Projects/Scopes:

  • piglet:compileClasspath
  • piglet:runtimeClasspath
  • calcite:sqllineClasspath
  • pig:runtimeClasspath
  • piglet:default
  • pig:default
  • pig:compileClasspath

Identifiers

hk2-api-2.4.0-b34.jar

Description:

${project.name}

License:

https://glassfish.java.net/nonav/public/CDDL+GPL_1_1.html
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.glassfish.hk2/hk2-api/2.4.0-b34/1017432e219dbd1d4a1121b2d7e87c5b2f0bcfb9/hk2-api-2.4.0-b34.jar
MD5: 2972849752ed511bd069812ba2b29d2d
SHA1: 1017432e219dbd1d4a1121b2d7e87c5b2f0bcfb9
SHA256:6eb071aaea327015ac3da18d5066c364c1a39978f4b6f94644158675ca5b9ced
Referenced In Projects/Scopes:
  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • spark:runtimeClasspath

Identifiers

hk2-locator-2.4.0-b34.jar

Description:

${project.name}

License:

https://glassfish.java.net/nonav/public/CDDL+GPL_1_1.html
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.glassfish.hk2/hk2-locator/2.4.0-b34/1451fc3e5b7f00d7a5ca0feaff2c1bf68be5ac91/hk2-locator-2.4.0-b34.jar
MD5: 09eda1a8dd33d465ec7bac9536f3eaf7
SHA1: 1451fc3e5b7f00d7a5ca0feaff2c1bf68be5ac91
SHA256:ea47ebf7ed56ef751055710cfad36840bcc36383cf387c4a963b41447c066f8f
Referenced In Projects/Scopes:
  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • spark:runtimeClasspath

Identifiers

hk2-utils-2.4.0-b34.jar

Description:

${project.name}

License:

https://glassfish.java.net/nonav/public/CDDL+GPL_1_1.html
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.glassfish.hk2/hk2-utils/2.4.0-b34/aacce18411fffef9621d8fc91464ca0477119c38/hk2-utils-2.4.0-b34.jar
MD5: f0c9e9df24ad2c2feb1f950b82146245
SHA1: aacce18411fffef9621d8fc91464ca0477119c38
SHA256:70211b1f918819bf6afbf69d3d19d4ae6e2a75d6e26f6c39ba9f20eb8e5612d7
Referenced In Projects/Scopes:
  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • spark:runtimeClasspath

Identifiers

hk2-utils-2.4.0-b34.jar (shaded: org.jvnet:tiger-types:1.4)

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.glassfish.hk2/hk2-utils/2.4.0-b34/aacce18411fffef9621d8fc91464ca0477119c38/hk2-utils-2.4.0-b34.jar/META-INF/maven/org.jvnet/tiger-types/pom.xml
MD5: 51329dba505e7cc4a9bc2719cf195be0
SHA1: 5855a7ee03b816073c2b448bce93319bd71f7029
SHA256:58794aca99cadb3aab687b56fd6d84871956590323dd0ea5d611db759e78c6b9
Referenced In Projects/Scopes:

  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • spark:runtimeClasspath

Identifiers

hsqldb-1.8.0.10.jar

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/hsqldb/hsqldb/1.8.0.10/7e9978fdb754bce5fcd5161133e7734ecb683036/hsqldb-1.8.0.10.jar
MD5: 7df83e09e41d742cc5fb20d16b80729c
SHA1: 7e9978fdb754bce5fcd5161133e7734ecb683036
SHA256:b04b3b3ac295d497c87230eeb4f888327a5a15b9c3c1567db202a51d83ac9e41
Referenced In Projects/Scopes:

  • piglet:compileClasspath
  • piglet:runtimeClasspath
  • calcite:sqllineClasspath
  • pig:runtimeClasspath
  • piglet:default
  • pig:default
  • pig:compileClasspath

Identifiers

hsqldb-2.4.1.jar

Description:

HyperSQL Lightweight 100% Java SQL Database Engine

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.hsqldb/hsqldb/2.4.1/9daff99b4fbd6809fd46ab4327650ad00a1be6d4/hsqldb-2.4.1.jar
MD5: 4fecc773be5e64721615213d314e8de3
SHA1: 9daff99b4fbd6809fd46ab4327650ad00a1be6d4
SHA256:417294fff9d6b6a4f7ee522982ed2693cdda28d131da0d9e4f048a57d6e1cdb2
Referenced In Projects/Scopes:

  • calcite:sqllineClasspath
  • plus:compileClasspath
  • plus:default
  • plus:runtimeClasspath

Identifiers

htrace-core-3.1.0-incubating.jar

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.htrace/htrace-core/3.1.0-incubating/f73606e7c9ede5802335c290bf47490ad6d51df3/htrace-core-3.1.0-incubating.jar
MD5: c49a4662d691a09eed10e0a35dd73299
SHA1: f73606e7c9ede5802335c290bf47490ad6d51df3
SHA256:d96c869afaf65315ece8ca09673b187557e9dbaad31df24467a5aa759812188d
Referenced In Projects/Scopes:

  • piglet:compileClasspath
  • piglet:runtimeClasspath
  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • piglet:default
  • spark:runtimeClasspath

Identifiers

htrace-core-3.1.0-incubating.jar (shaded: com.fasterxml.jackson.core:jackson-annotations:2.4.0)

Description:

Core annotations used for value types, used by Jackson data binding package.
  

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.htrace/htrace-core/3.1.0-incubating/f73606e7c9ede5802335c290bf47490ad6d51df3/htrace-core-3.1.0-incubating.jar/META-INF/maven/com.fasterxml.jackson.core/jackson-annotations/pom.xml
MD5: 556310b593b9688b85686409e0bd5377
SHA1: 2b75fa41636e5d02edc961ee9c68e6f041dc85a9
SHA256:63e2e01157c8964913ef8bb0e69cec0d363d31129089206f7fb07ee5438359c0
Referenced In Projects/Scopes:

  • piglet:compileClasspath
  • piglet:runtimeClasspath
  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • piglet:default
  • spark:runtimeClasspath

Identifiers

CVE-2018-1000873  

Fasterxml Jackson version Before 2.9.8 contains a CWE-20: Improper Input Validation vulnerability in Jackson-Modules-Java8 that can result in Causes a denial-of-service (DoS). This attack appear to be exploitable via The victim deserializes malicious input, specifically very large values in the nanoseconds field of a time value. This vulnerability appears to have been fixed in 2.9.8.
CWE-20 Improper Input Validation

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

htrace-core-3.1.0-incubating.jar (shaded: com.fasterxml.jackson.core:jackson-core:2.4.0)

Description:

Core Jackson abstractions, basic JSON streaming API implementation
  

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.htrace/htrace-core/3.1.0-incubating/f73606e7c9ede5802335c290bf47490ad6d51df3/htrace-core-3.1.0-incubating.jar/META-INF/maven/com.fasterxml.jackson.core/jackson-core/pom.xml
MD5: b5ed6cb7f987a4da86141638b1538d81
SHA1: ed8235ea6d84480833675e709b415bde24ce25f7
SHA256:8310978da8c7013ecaaba13c9b41b75ab3a09797ae4b946ae5e1614088f995d7
Referenced In Projects/Scopes:

  • piglet:compileClasspath
  • piglet:runtimeClasspath
  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • piglet:default
  • spark:runtimeClasspath

Identifiers

CVE-2018-1000873  

Fasterxml Jackson version Before 2.9.8 contains a CWE-20: Improper Input Validation vulnerability in Jackson-Modules-Java8 that can result in Causes a denial-of-service (DoS). This attack appear to be exploitable via The victim deserializes malicious input, specifically very large values in the nanoseconds field of a time value. This vulnerability appears to have been fixed in 2.9.8.
CWE-20 Improper Input Validation

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

htrace-core-3.1.0-incubating.jar (shaded: com.fasterxml.jackson.core:jackson-databind:2.4.0)

Description:

General data-binding functionality for Jackson: works on core streaming API

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.htrace/htrace-core/3.1.0-incubating/f73606e7c9ede5802335c290bf47490ad6d51df3/htrace-core-3.1.0-incubating.jar/META-INF/maven/com.fasterxml.jackson.core/jackson-databind/pom.xml
MD5: d3f7afe903419aa0c03f9cf8682e1a69
SHA1: 3c0d06b6c0a9f4135fcf5c5557c751c0cd066c0c
SHA256:083be927bdddaf1e992d0e9f0fff509b60f35deea307216d8ba773f065a6f30c
Referenced In Projects/Scopes:

  • piglet:compileClasspath
  • piglet:runtimeClasspath
  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • piglet:default
  • spark:runtimeClasspath

Identifiers

CVE-2017-15095 (OSSINDEX)  

A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously.
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:com.fasterxml.jackson.core:jackson-databind:2.4.0:*:*:*:*:*:*:*

CVE-2017-17485 (OSSINDEX)  

FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the Spring libraries are available in the classpath.
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:com.fasterxml.jackson.core:jackson-databind:2.4.0:*:*:*:*:*:*:*

CVE-2017-7525 (OSSINDEX)  

A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper.
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:com.fasterxml.jackson.core:jackson-databind:2.4.0:*:*:*:*:*:*:*

CVE-2018-1000873  

Fasterxml Jackson version Before 2.9.8 contains a CWE-20: Improper Input Validation vulnerability in Jackson-Modules-Java8 that can result in Causes a denial-of-service (DoS). This attack appear to be exploitable via The victim deserializes malicious input, specifically very large values in the nanoseconds field of a time value. This vulnerability appears to have been fixed in 2.9.8.
CWE-20 Improper Input Validation

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2018-11307 (OSSINDEX)  

An issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.5. Use of Jackson default typing along with a gadget class from iBatis allows exfiltration of content. Fixed in 2.7.9.4, 2.8.11.2, and 2.9.6.
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:com.fasterxml.jackson.core:jackson-databind:2.4.0:*:*:*:*:*:*:*

CVE-2018-14718 (OSSINDEX)  

FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the slf4j-ext class from polymorphic deserialization.
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:com.fasterxml.jackson.core:jackson-databind:2.4.0:*:*:*:*:*:*:*

CVE-2018-5968 (OSSINDEX)  

FasterXML jackson-databind through 2.8.11 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 and CVE-2017-17485 deserialization flaws. This is exploitable via two different gadgets that bypass a blacklist.
CVSSv3:
  • Base Score: HIGH (8.1)
  • Vector: CVSS:/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:com.fasterxml.jackson.core:jackson-databind:2.4.0:*:*:*:*:*:*:*

CVE-2018-7489  

FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.
CWE-502 Deserialization of Untrusted Data, CWE-184 Incomplete Blacklist

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2019-14540 (OSSINDEX)  

A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariConfig.
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:com.fasterxml.jackson.core:jackson-databind:2.4.0:*:*:*:*:*:*:*

CVE-2019-14893 (OSSINDEX)  

A flaw was discovered in FasterXML jackson-databind in all versions before 2.9.10 and 2.10.0, where it would permit polymorphic deserialization of malicious objects using the xalan JNDI gadget when used in conjunction with polymorphic type handling methods such as `enableDefaultTyping()` or when @JsonTypeInfo is using `Id.CLASS` or `Id.MINIMAL_CLASS` or in any other way which ObjectMapper.readValue might instantiate objects from unsafe sources. An attacker could use this flaw to execute arbitrary code.
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:com.fasterxml.jackson.core:jackson-databind:2.4.0:*:*:*:*:*:*:*

CVE-2019-16335 (OSSINDEX)  

A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariDataSource. This is a different vulnerability than CVE-2019-14540.
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:com.fasterxml.jackson.core:jackson-databind:2.4.0:*:*:*:*:*:*:*

CVE-2019-16942 (OSSINDEX)  

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the commons-dbcp (1.4) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of org.apache.commons.dbcp.datasources.SharedPoolDataSource and org.apache.commons.dbcp.datasources.PerUserPoolDataSource mishandling.
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:com.fasterxml.jackson.core:jackson-databind:2.4.0:*:*:*:*:*:*:*

CVE-2019-16943 (OSSINDEX)  

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the p6spy (3.8.6) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of com.p6spy.engine.spy.P6DataSource mishandling.
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:com.fasterxml.jackson.core:jackson-databind:2.4.0:*:*:*:*:*:*:*

CVE-2019-17267 (OSSINDEX)  

A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup.
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:com.fasterxml.jackson.core:jackson-databind:2.4.0:*:*:*:*:*:*:*

CVE-2019-17531 (OSSINDEX)  

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the classpath, and an attacker can provide a JNDI service to access, it is possible to make the service execute a malicious payload.
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:com.fasterxml.jackson.core:jackson-databind:2.4.0:*:*:*:*:*:*:*

CVE-2019-20330 (OSSINDEX)  

FasterXML jackson-databind 2.x before 2.9.10.2 lacks certain net.sf.ehcache blocking.
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:com.fasterxml.jackson.core:jackson-databind:2.4.0:*:*:*:*:*:*:*

CVE-2020-35490  

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.PerUserPoolDataSource.
CWE-502 Deserialization of Untrusted Data

CVSSv2:
  • Base Score: MEDIUM (6.8)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (8.1)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2020-35491  

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.SharedPoolDataSource.
CWE-502 Deserialization of Untrusted Data

CVSSv2:
  • Base Score: MEDIUM (6.8)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (8.1)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CWE-611: Improper Restriction of XML External Entity Reference ('XXE') (OSSINDEX)  

The software processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
CWE-611 Improper Restriction of XML External Entity Reference ('XXE')

CVSSv3:
  • Base Score: MEDIUM (5.4)
  • Vector: CVSS:/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:com.fasterxml.jackson.core:jackson-databind:2.4.0:*:*:*:*:*:*:*

httpasyncclient-4.1.4.jar

Description:

   Apache HttpComponents AsyncClient
  

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.httpcomponents/httpasyncclient/4.1.4/f3a3240681faae3fa46b573a4c7e50cec9db0d86/httpasyncclient-4.1.4.jar
MD5: f29a16f1c28f5b3dd511cbd16d7fa422
SHA1: f3a3240681faae3fa46b573a4c7e50cec9db0d86
SHA256:50e981a8e567a16ebdad104605b156540a863459fa127b8ba647f310dfc83ef8
Referenced In Projects/Scopes:

  • elasticsearch:compileClasspath
  • calcite:sqllineClasspath
  • elasticsearch:runtimeClasspath
  • elasticsearch:default

Identifiers

httpclient-4.5.9.jar

Description:

   Apache HttpComponents Client
  

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.httpcomponents/httpclient/4.5.9/a25c1be5ce99d0ce99aa43eb982868c796dd0775/httpclient-4.5.9.jar
MD5: 62fce5f1f44f9df4a68d9a390b8982eb
SHA1: a25c1be5ce99d0ce99aa43eb982868c796dd0775
SHA256:6c7e3bb423d8c5574f28157fe42b4c38d6a3477bfa2954cfe5f330b14ecad8a9
Referenced In Projects/Scopes:

  • piglet:compileClasspath
  • babel:default
  • piglet:runtimeClasspath
  • spark:default
  • splunk:default
  • function:runtimeClasspath
  • kafka:default
  • spark:compileClasspath
  • redis:runtimeClasspath
  • server:runtimeClasspath
  • cassandra:runtimeClasspath
  • druid:default
  • spark:runtimeClasspath
  • core:default
  • linq4j:runtimeClasspath
  • linq4j:default
  • elasticsearch:compileClasspath
  • babel:runtimeClasspath
  • elasticsearch:runtimeClasspath
  • innodb:default
  • piglet:default
  • pig:default
  • plus:runtimeClasspath
  • function:default
  • csv:default
  • kafka:runtimeClasspath
  • splunk:runtimeClasspath
  • file:runtimeClasspath
  • innodb:runtimeClasspath
  • calcite:sqllineClasspath
  • core:runtimeClasspath
  • geode:default
  • elasticsearch:default
  • geode:compileClasspath
  • druid:runtimeClasspath
  • mongodb:runtimeClasspath
  • file:default
  • server:default
  • pig:runtimeClasspath
  • mongodb:default
  • redis:default
  • geode:runtimeClasspath
  • csv:runtimeClasspath
  • plus:default
  • cassandra:default

Identifiers

CVE-2020-13956  

Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

References:

Vulnerable Software & Versions: (show all)

httpcore-4.4.11.jar

Description:

   Apache HttpComponents Core (blocking I/O)
  

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.httpcomponents/httpcore/4.4.11/de748cf874e4e193b42eceea9fe5574fabb9d4df/httpcore-4.4.11.jar
MD5: 9299550b06219959d0f2223b1a8bb337
SHA1: de748cf874e4e193b42eceea9fe5574fabb9d4df
SHA256:d799522d579aac06b170603f8f080f6e3248dadc01f9652cdd7ea7bc318c21ce
Referenced In Projects/Scopes:

  • piglet:compileClasspath
  • babel:default
  • piglet:runtimeClasspath
  • spark:default
  • splunk:default
  • function:runtimeClasspath
  • kafka:default
  • spark:compileClasspath
  • redis:runtimeClasspath
  • server:runtimeClasspath
  • cassandra:runtimeClasspath
  • druid:default
  • spark:runtimeClasspath
  • core:default
  • linq4j:runtimeClasspath
  • linq4j:default
  • elasticsearch:compileClasspath
  • babel:runtimeClasspath
  • elasticsearch:runtimeClasspath
  • innodb:default
  • piglet:default
  • pig:default
  • plus:runtimeClasspath
  • function:default
  • csv:default
  • kafka:runtimeClasspath
  • splunk:runtimeClasspath
  • file:runtimeClasspath
  • innodb:runtimeClasspath
  • calcite:sqllineClasspath
  • core:runtimeClasspath
  • geode:default
  • elasticsearch:default
  • geode:compileClasspath
  • druid:runtimeClasspath
  • mongodb:runtimeClasspath
  • file:default
  • server:default
  • pig:runtimeClasspath
  • mongodb:default
  • redis:default
  • geode:runtimeClasspath
  • csv:runtimeClasspath
  • plus:default
  • cassandra:default

Identifiers

httpcore-nio-4.4.11.jar

Description:

   Apache HttpComponents Core (non-blocking I/O)
  

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.httpcomponents/httpcore-nio/4.4.11/7d0a97d01d39cff9aa3e6db81f21fddb2435f4e6/httpcore-nio-4.4.11.jar
MD5: 2fcc3dad75151d9891ba8e4a889ab24a
SHA1: 7d0a97d01d39cff9aa3e6db81f21fddb2435f4e6
SHA256:112b4e76323f8f69d704d250d7f233a1bd15eb7631a83e80ebbd25de684e4272
Referenced In Projects/Scopes:

  • elasticsearch:compileClasspath
  • calcite:sqllineClasspath
  • elasticsearch:runtimeClasspath
  • elasticsearch:default

Identifiers

ical4j-1.0.2.jar

Description:

		A Java library for reading and writing iCalendar (*.ics) files
	

License:

iCal4j - License: LICENSE
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.mnode.ical4j/ical4j/1.0.2/3690b6d480ed15b64be7a687dd4f2869075c555/ical4j-1.0.2.jar
MD5: ed48ee62d9aacbf3f6be0bb0d7ca842c
SHA1: 03690b6d480ed15b64be7a687dd4f2869075c555
SHA256:40b6b85c2b3862d755199373d96c103a0fc2a0bbf9a136e3f26233711d463add
Referenced In Projects/Scopes:
  • file:compileClasspath
  • file:runtimeClasspath
  • calcite:sqllineClasspath
  • csv:runtimeClasspath
  • file:default
  • csv:default

Identifiers

imageinfo-1.9.jar

Description:

A free Java class to retrieve properties from image files

License:

Public Domain
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.devlib.schmidt/imageinfo/1.9/e9ff2b7c4bc9f3b14a20bed7d08c89f9a4797fd0/imageinfo-1.9.jar
MD5: 4e6047aeeb6c6c2f5040e669ce026190
SHA1: e9ff2b7c4bc9f3b14a20bed7d08c89f9a4797fd0
SHA256:60a9c9e492280a4806dd13dfa9593bb6273188fc89c0076cab8a2b7ff80d525b
Referenced In Projects/Scopes:
  • babel:fmppClaspath
  • server:fmppClaspath
  • core:fmppClaspath

Identifiers

innodb-java-reader-1.0.10.jar

Description:

innodb-java-reader

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/com.alibaba.database/innodb-java-reader/1.0.10/4fc85a951fc25b1e17184650edd11f78c8c79469/innodb-java-reader-1.0.10.jar
MD5: 91d3b9a9fe1eafa58bceec7b95d403f1
SHA1: 4fc85a951fc25b1e17184650edd11f78c8c79469
SHA256:d40aff74f4f0deac8423da5fbdeeb020171c3a301130976f764d146025f77033
Referenced In Projects/Scopes:

  • innodb:compileClasspath
  • innodb:runtimeClasspath
  • calcite:sqllineClasspath
  • innodb:default

Identifiers

istack-commons-runtime-2.2.jar

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/com.sun.istack/istack-commons-runtime/2.2/475249c175393a25d953433182edb7c1a0c35dec/istack-commons-runtime-2.2.jar
MD5: 57a578385f55cf8d9f720e4af3b5ca90
SHA1: 475249c175393a25d953433182edb7c1a0c35dec
SHA256:9828ccc9434c7d08a8a4aae61ae0e6ec7c9e70626f45a741cfa88b310dd0fd78
Referenced In Projects/Scopes:

  • calcite:sqllineClasspath
  • geode:default
  • geode:runtimeClasspath

Identifiers

ivy-2.2.0.jar

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.ivy/ivy/2.2.0/f9d1e83e82fc085093510f7d2e77d81d52bc2081/ivy-2.2.0.jar
MD5: 2703395cb677b36bbe04f0e868a10d2b
SHA1: f9d1e83e82fc085093510f7d2e77d81d52bc2081
SHA256:9d0a56026680999986ca33d53d12d6f28f7bff5e3c9e6e0c6633a3677ca00f18
Referenced In Projects/Scopes:

  • piglet:compileClasspath
  • piglet:runtimeClasspath
  • pig:runtimeClasspath
  • piglet:default
  • pig:default
  • pig:compileClasspath

Identifiers

ivy-2.4.0.jar

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.ivy/ivy/2.4.0/5abe4c24bbe992a9ac07ca563d5bd3e8d569e9ed/ivy-2.4.0.jar
MD5: 8c88b943fcd643d5e592b86179c6fbeb
SHA1: 5abe4c24bbe992a9ac07ca563d5bd3e8d569e9ed
SHA256:ce81cb234406b093b5b8de9f6f5b2a50ed0824d6a235891353e8d3e941a53970
Referenced In Projects/Scopes:

  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • spark:runtimeClasspath

Identifiers

j2objc-annotations-1.3.jar

Description:

    A set of annotations that provide additional information to the J2ObjC
    translator to modify the result of translation.
  

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/com.google.j2objc/j2objc-annotations/1.3/ba035118bc8bac37d7eff77700720999acd9986d/j2objc-annotations-1.3.jar
MD5: 5fa4ec4ec0c5aa70af8a7d4922df1931
SHA1: ba035118bc8bac37d7eff77700720999acd9986d
SHA256:21af30c92267bd6122c0e0b4d20cccb6641a37eaf956c6540ec471d584e64a7b
Referenced In Projects/Scopes:
  • cassandra:compileClasspath
  • piglet:compileClasspath
  • splunk:checkstyle
  • calcite:checkstyle
  • piglet:runtimeClasspath
  • spark:default
  • splunk:default
  • kafka:default
  • spark:compileClasspath
  • function:checkstyle
  • server:runtimeClasspath
  • cassandra:runtimeClasspath
  • druid:default
  • spark:runtimeClasspath
  • linq4j:runtimeClasspath
  • linq4j:default
  • druid:checkstyle
  • druid:compileClasspath
  • plus:compileClasspath
  • csv:checkstyle
  • linq4j:compileClasspath
  • pig:default
  • plus:runtimeClasspath
  • splunk:compileClasspath
  • core:checkstyle
  • function:default
  • file:compileClasspath
  • core:implementationDependenciesMetadata
  • file:checkstyle
  • kafka:runtimeClasspath
  • splunk:runtimeClasspath
  • file:runtimeClasspath
  • innodb:runtimeClasspath
  • elasticsearch:default
  • geode:checkstyle
  • kafka:compileClasspath
  • druid:runtimeClasspath
  • mongodb:checkstyle
  • elasticsearch:checkstyle
  • linq4j:checkstyle
  • redis:checkstyle
  • babel:checkstyle
  • mongodb:default
  • cassandra:default
  • innodb:checkstyle
  • cassandra:checkstyle
  • piglet:checkstyle
  • bom:checkstyle
  • babel:default
  • function:runtimeClasspath
  • redis:compileClasspath
  • redis:runtimeClasspath
  • spark:checkstyle
  • plus:checkstyle
  • core:default
  • function:compileClasspath
  • pig:checkstyle
  • elasticsearch:compileClasspath
  • babel:runtimeClasspath
  • elasticsearch:runtimeClasspath
  • innodb:default
  • piglet:default
  • babel:compileClasspath
  • server:checkstyle
  • csv:default
  • innodb:compileClasspath
  • core:compileClasspath
  • calcite:sqllineClasspath
  • core:runtimeClasspath
  • geode:default
  • geode:compileClasspath
  • mongodb:runtimeClasspath
  • release:checkstyle
  • file:default
  • server:default
  • kafka:checkstyle
  • ubenchmark:checkstyle
  • ubenchmark:jmhCompileClasspath
  • example:checkstyle
  • pig:runtimeClasspath
  • mongodb:compileClasspath
  • server:compileClasspath
  • redis:default
  • geode:runtimeClasspath
  • csv:compileClasspath
  • csv:runtimeClasspath
  • plus:default
  • pig:compileClasspath

Identifiers

jackson-annotations-2.10.0.jar

Description:

Core annotations used for value types, used by Jackson data binding package.
  

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-annotations/2.10.0/e01cfd93b80d6773b3f757c78e756c9755b47b81/jackson-annotations-2.10.0.jar
MD5: 138ada7579397b2a88e41b132b0b46a3
SHA1: e01cfd93b80d6773b3f757c78e756c9755b47b81
SHA256:77a0846219774a8269bc1b38cc00294908d34e77f8a9da34d97673982f75853d
Referenced In Projects/Scopes:
  • cassandra:compileClasspath
  • piglet:compileClasspath
  • piglet:runtimeClasspath
  • spark:default
  • splunk:default
  • kafka:default
  • spark:compileClasspath
  • server:runtimeClasspath
  • cassandra:runtimeClasspath
  • druid:default
  • spark:runtimeClasspath
  • linq4j:runtimeClasspath
  • linq4j:default
  • druid:compileClasspath
  • plus:compileClasspath
  • linq4j:compileClasspath
  • pig:default
  • plus:runtimeClasspath
  • splunk:compileClasspath
  • function:default
  • file:compileClasspath
  • core:implementationDependenciesMetadata
  • kafka:runtimeClasspath
  • splunk:runtimeClasspath
  • file:runtimeClasspath
  • innodb:runtimeClasspath
  • elasticsearch:default
  • kafka:compileClasspath
  • druid:runtimeClasspath
  • mongodb:default
  • cassandra:default
  • babel:default
  • function:runtimeClasspath
  • redis:compileClasspath
  • redis:runtimeClasspath
  • core:default
  • function:compileClasspath
  • elasticsearch:compileClasspath
  • babel:runtimeClasspath
  • elasticsearch:runtimeClasspath
  • innodb:default
  • piglet:default
  • babel:compileClasspath
  • csv:default
  • innodb:compileClasspath
  • core:compileClasspath
  • calcite:sqllineClasspath
  • core:runtimeClasspath
  • geode:default
  • geode:compileClasspath
  • mongodb:runtimeClasspath
  • file:default
  • server:default
  • ubenchmark:jmhCompileClasspath
  • pig:runtimeClasspath
  • mongodb:compileClasspath
  • server:compileClasspath
  • redis:default
  • geode:runtimeClasspath
  • csv:compileClasspath
  • csv:runtimeClasspath
  • plus:default
  • pig:compileClasspath

Identifiers

jackson-core-2.10.0.jar

Description:

Core Jackson processing abstractions (aka Streaming API), implementation for JSON

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-core/2.10.0/4e2c5fa04648ec9772c63e2101c53af6504e624e/jackson-core-2.10.0.jar
MD5: b109d8d9d0519111d5756389fa5bfd87
SHA1: 4e2c5fa04648ec9772c63e2101c53af6504e624e
SHA256:69e7695b1e40834fa1242fc328a4010607911ced3706ab79abc769d451197513
Referenced In Projects/Scopes:
  • cassandra:compileClasspath
  • piglet:compileClasspath
  • piglet:runtimeClasspath
  • spark:default
  • splunk:default
  • kafka:default
  • spark:compileClasspath
  • server:runtimeClasspath
  • cassandra:runtimeClasspath
  • druid:default
  • spark:runtimeClasspath
  • linq4j:runtimeClasspath
  • linq4j:default
  • druid:compileClasspath
  • plus:compileClasspath
  • linq4j:compileClasspath
  • pig:default
  • plus:runtimeClasspath
  • splunk:compileClasspath
  • function:default
  • file:compileClasspath
  • core:implementationDependenciesMetadata
  • kafka:runtimeClasspath
  • splunk:runtimeClasspath
  • file:runtimeClasspath
  • innodb:runtimeClasspath
  • elasticsearch:default
  • kafka:compileClasspath
  • druid:runtimeClasspath
  • mongodb:default
  • cassandra:default
  • babel:default
  • function:runtimeClasspath
  • redis:compileClasspath
  • redis:runtimeClasspath
  • core:default
  • function:compileClasspath
  • elasticsearch:compileClasspath
  • babel:runtimeClasspath
  • elasticsearch:runtimeClasspath
  • innodb:default
  • piglet:default
  • babel:compileClasspath
  • csv:default
  • innodb:compileClasspath
  • core:compileClasspath
  • calcite:sqllineClasspath
  • core:runtimeClasspath
  • geode:default
  • geode:compileClasspath
  • mongodb:runtimeClasspath
  • file:default
  • server:default
  • ubenchmark:jmhCompileClasspath
  • pig:runtimeClasspath
  • mongodb:compileClasspath
  • server:compileClasspath
  • redis:default
  • geode:runtimeClasspath
  • csv:compileClasspath
  • csv:runtimeClasspath
  • plus:default
  • pig:compileClasspath

Identifiers

jackson-core-asl-1.8.8.jar

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.codehaus.jackson/jackson-core-asl/1.8.8/dd2e90bb710ea3bc4610e24299d6a4c8dac5049b/jackson-core-asl-1.8.8.jar
MD5: a65a9709da8186ed9a1c739355414460
SHA1: dd2e90bb710ea3bc4610e24299d6a4c8dac5049b
SHA256:96b394f135bf396679681aca6716d8bea14a97cf306d3738a053c43d07a1308b
Referenced In Projects/Scopes:
  • pig:runtimeClasspath
  • pig:default
  • pig:compileClasspath

Identifiers

jackson-core-asl-1.9.11.jar

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.codehaus.jackson/jackson-core-asl/1.9.11/e32303ef8bd18a5c9272780d49b81c95e05ddf43/jackson-core-asl-1.9.11.jar
MD5: 49801a6d43725d5c3a1a52ca021d7dc5
SHA1: e32303ef8bd18a5c9272780d49b81c95e05ddf43
SHA256:5fb6924b888550a9b0e8420747a93cc4ad24e03e724dcf4934c30cc0c4882ffc
Referenced In Projects/Scopes:
  • innodb:compileClasspath
  • innodb:runtimeClasspath
  • innodb:default

Identifiers

jackson-core-asl-1.9.13.jar

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.codehaus.jackson/jackson-core-asl/1.9.13/3c304d70f42f832e0a86d45bd437f692129299a4/jackson-core-asl-1.9.13.jar
MD5: 319c49a4304e3fa9fe3cd8dcfc009d37
SHA1: 3c304d70f42f832e0a86d45bd437f692129299a4
SHA256:440a9cb5ca95b215f953d3a20a6b1a10da1f09b529a9ddea5f8a4905ddab4f5a
Referenced In Projects/Scopes:
  • piglet:compileClasspath
  • piglet:runtimeClasspath
  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • piglet:default
  • spark:runtimeClasspath

Identifiers

jackson-databind-2.10.0.jar

Description:

General data-binding functionality for Jackson: works on core streaming API

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.10.0/1127c9cf62f2bb3121a3a2a0a1351d251a602117/jackson-databind-2.10.0.jar
MD5: 195bfa368ad502b05427d9fb0346735d
SHA1: 1127c9cf62f2bb3121a3a2a0a1351d251a602117
SHA256:8e6c566c67fc61a96c5dfc4a71d430f2565765778ec9a6ef216c5460a9911b60
Referenced In Projects/Scopes:
  • cassandra:compileClasspath
  • piglet:compileClasspath
  • piglet:runtimeClasspath
  • spark:default
  • splunk:default
  • kafka:default
  • spark:compileClasspath
  • server:runtimeClasspath
  • cassandra:runtimeClasspath
  • druid:default
  • spark:runtimeClasspath
  • linq4j:runtimeClasspath
  • linq4j:default
  • druid:compileClasspath
  • plus:compileClasspath
  • linq4j:compileClasspath
  • pig:default
  • plus:runtimeClasspath
  • splunk:compileClasspath
  • function:default
  • file:compileClasspath
  • core:implementationDependenciesMetadata
  • kafka:runtimeClasspath
  • splunk:runtimeClasspath
  • file:runtimeClasspath
  • innodb:runtimeClasspath
  • elasticsearch:default
  • kafka:compileClasspath
  • druid:runtimeClasspath
  • mongodb:default
  • cassandra:default
  • babel:default
  • function:runtimeClasspath
  • redis:compileClasspath
  • redis:runtimeClasspath
  • core:default
  • function:compileClasspath
  • elasticsearch:compileClasspath
  • babel:runtimeClasspath
  • elasticsearch:runtimeClasspath
  • innodb:default
  • piglet:default
  • babel:compileClasspath
  • csv:default
  • innodb:compileClasspath
  • core:compileClasspath
  • calcite:sqllineClasspath
  • core:runtimeClasspath
  • geode:default
  • geode:compileClasspath
  • mongodb:runtimeClasspath
  • file:default
  • server:default
  • ubenchmark:jmhCompileClasspath
  • pig:runtimeClasspath
  • mongodb:compileClasspath
  • server:compileClasspath
  • redis:default
  • geode:runtimeClasspath
  • csv:compileClasspath
  • csv:runtimeClasspath
  • plus:default
  • pig:compileClasspath

Identifiers

CVE-2020-25649  

A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML external entity (XXE) attacks. The highest threat from this vulnerability is data integrity.
CWE-611 Improper Restriction of XML External Entity Reference ('XXE')

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

jackson-dataformat-yaml-2.10.0.jar

Description:

Support for reading and writing YAML-encoded data via Jackson abstractions.
  

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.dataformat/jackson-dataformat-yaml/2.10.0/601e067f98b39f7991f66d99a3228044b9bf37c8/jackson-dataformat-yaml-2.10.0.jar
MD5: bf7bf4a029e965435d9bb1dbf8dc60b1
SHA1: 601e067f98b39f7991f66d99a3228044b9bf37c8
SHA256:235cb6f2816d55aa5e8a1c6e37b142cfc2bd5e459aa733820d68e736b6527f7c
Referenced In Projects/Scopes:
  • babel:default
  • piglet:runtimeClasspath
  • spark:default
  • splunk:default
  • function:runtimeClasspath
  • kafka:default
  • redis:runtimeClasspath
  • server:runtimeClasspath
  • cassandra:runtimeClasspath
  • druid:default
  • spark:runtimeClasspath
  • core:default
  • babel:runtimeClasspath
  • elasticsearch:runtimeClasspath
  • innodb:default
  • piglet:default
  • pig:default
  • plus:runtimeClasspath
  • function:default
  • csv:default
  • core:implementationDependenciesMetadata
  • kafka:runtimeClasspath
  • splunk:runtimeClasspath
  • core:compileClasspath
  • file:runtimeClasspath
  • innodb:runtimeClasspath
  • calcite:sqllineClasspath
  • core:runtimeClasspath
  • geode:default
  • elasticsearch:default
  • druid:runtimeClasspath
  • mongodb:runtimeClasspath
  • file:default
  • server:default
  • pig:runtimeClasspath
  • mongodb:default
  • redis:default
  • geode:runtimeClasspath
  • csv:runtimeClasspath
  • plus:default
  • cassandra:default

Identifiers

jackson-jaxrs-1.8.3.jar

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.codehaus.jackson/jackson-jaxrs/1.8.3/3604ca9f572170e2ef5813141ec1f0e0100efd19/jackson-jaxrs-1.8.3.jar
MD5: 7634227657d2414a0c65e0818b30d5ed
SHA1: 3604ca9f572170e2ef5813141ec1f0e0100efd19
SHA256:cadd12137aaf121722630d00117df63e34afc5b3dab5be68c921740114a05fba
Referenced In Projects/Scopes:
  • piglet:compileClasspath
  • piglet:runtimeClasspath
  • piglet:default

Identifiers

CVE-2018-7489  

FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.
CWE-502 Deserialization of Untrusted Data, CWE-184 Incomplete Blacklist

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

jackson-jaxrs-1.9.13.jar

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.codehaus.jackson/jackson-jaxrs/1.9.13/534d72d2b9d6199dd531dfb27083dd4844082bba/jackson-jaxrs-1.9.13.jar
MD5: 8481e1904d9bfe974157a6af04b4445e
SHA1: 534d72d2b9d6199dd531dfb27083dd4844082bba
SHA256:1770570a6ba5c87a4795c0aeb40ee7c5fe5e31df64ef1d4795a0d427796b84bb
Referenced In Projects/Scopes:
  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • spark:runtimeClasspath

Identifiers

CVE-2018-7489  

FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.
CWE-502 Deserialization of Untrusted Data, CWE-184 Incomplete Blacklist

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

jackson-mapper-asl-1.8.8.jar

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.codehaus.jackson/jackson-mapper-asl/1.8.8/1bb32d9d2527c083a56e234acca49a48d3c65c8/jackson-mapper-asl-1.8.8.jar
MD5: 3e6795b01c7b5fa40eeae9fe4eb7b523
SHA1: 01bb32d9d2527c083a56e234acca49a48d3c65c8
SHA256:56436abd3e06c45e496b8604fd3f3b0f22451a9b5de8433b6f8b416e7a14a048
Referenced In Projects/Scopes:
  • pig:runtimeClasspath
  • pig:default
  • pig:compileClasspath

Identifiers

CVE-2017-15095 (OSSINDEX)  

A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously.
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.codehaus.jackson:jackson-mapper-asl:1.8.8:*:*:*:*:*:*:*

CVE-2017-17485 (OSSINDEX)  

FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the Spring libraries are available in the classpath.
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.codehaus.jackson:jackson-mapper-asl:1.8.8:*:*:*:*:*:*:*

CVE-2017-7525 (OSSINDEX)  

A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper.
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.codehaus.jackson:jackson-mapper-asl:1.8.8:*:*:*:*:*:*:*

CVE-2018-1000873 (OSSINDEX)  

Fasterxml Jackson version Before 2.9.8 contains a CWE-20: Improper Input Validation vulnerability in Jackson-Modules-Java8 that can result in Causes a denial-of-service (DoS). This attack appear to be exploitable via The victim deserializes malicious input, specifically very large values in the nanoseconds field of a time value. This vulnerability appears to have been fixed in 2.9.8.
CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.codehaus.jackson:jackson-mapper-asl:1.8.8:*:*:*:*:*:*:*

CVE-2018-14718 (OSSINDEX)  

FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the slf4j-ext class from polymorphic deserialization.
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.codehaus.jackson:jackson-mapper-asl:1.8.8:*:*:*:*:*:*:*

CVE-2018-5968 (OSSINDEX)  

FasterXML jackson-databind through 2.8.11 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 and CVE-2017-17485 deserialization flaws. This is exploitable via two different gadgets that bypass a blacklist.
CVSSv3:
  • Base Score: HIGH (8.1)
  • Vector: CVSS:/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.codehaus.jackson:jackson-mapper-asl:1.8.8:*:*:*:*:*:*:*

CVE-2018-7489 (OSSINDEX)  

FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.codehaus.jackson:jackson-mapper-asl:1.8.8:*:*:*:*:*:*:*

CVE-2019-14540 (OSSINDEX)  

A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariConfig.
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.codehaus.jackson:jackson-mapper-asl:1.8.8:*:*:*:*:*:*:*

CVE-2019-14893 (OSSINDEX)  

A flaw was discovered in FasterXML jackson-databind in all versions before 2.9.10 and 2.10.0, where it would permit polymorphic deserialization of malicious objects using the xalan JNDI gadget when used in conjunction with polymorphic type handling methods such as `enableDefaultTyping()` or when @JsonTypeInfo is using `Id.CLASS` or `Id.MINIMAL_CLASS` or in any other way which ObjectMapper.readValue might instantiate objects from unsafe sources. An attacker could use this flaw to execute arbitrary code.
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.codehaus.jackson:jackson-mapper-asl:1.8.8:*:*:*:*:*:*:*

CVE-2019-16335 (OSSINDEX)  

A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariDataSource. This is a different vulnerability than CVE-2019-14540.
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.codehaus.jackson:jackson-mapper-asl:1.8.8:*:*:*:*:*:*:*

CVE-2019-17267 (OSSINDEX)  

A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup.
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.codehaus.jackson:jackson-mapper-asl:1.8.8:*:*:*:*:*:*:*

jackson-mapper-asl-1.9.11.jar

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.codehaus.jackson/jackson-mapper-asl/1.9.11/45d70862fa016993193075a1e8e32a01dcf438e8/jackson-mapper-asl-1.9.11.jar
MD5: 8f10143a94de3e786dd53db10fa54598
SHA1: 45d70862fa016993193075a1e8e32a01dcf438e8
SHA256:246ee4dcb26cb040608eab5d978efe2618564568923c0a98e6118f8858b31def
Referenced In Projects/Scopes:
  • innodb:compileClasspath
  • innodb:runtimeClasspath
  • innodb:default

Identifiers

CVE-2017-15095 (OSSINDEX)  

A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously.
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.codehaus.jackson:jackson-mapper-asl:1.9.11:*:*:*:*:*:*:*

CVE-2017-17485 (OSSINDEX)  

FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the Spring libraries are available in the classpath.
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.codehaus.jackson:jackson-mapper-asl:1.9.11:*:*:*:*:*:*:*

CVE-2017-7525 (OSSINDEX)  

A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper.
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.codehaus.jackson:jackson-mapper-asl:1.9.11:*:*:*:*:*:*:*

CVE-2018-1000873 (OSSINDEX)  

Fasterxml Jackson version Before 2.9.8 contains a CWE-20: Improper Input Validation vulnerability in Jackson-Modules-Java8 that can result in Causes a denial-of-service (DoS). This attack appear to be exploitable via The victim deserializes malicious input, specifically very large values in the nanoseconds field of a time value. This vulnerability appears to have been fixed in 2.9.8.
CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.codehaus.jackson:jackson-mapper-asl:1.9.11:*:*:*:*:*:*:*

CVE-2018-14718 (OSSINDEX)  

FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the slf4j-ext class from polymorphic deserialization.
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.codehaus.jackson:jackson-mapper-asl:1.9.11:*:*:*:*:*:*:*

CVE-2018-5968 (OSSINDEX)  

FasterXML jackson-databind through 2.8.11 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 and CVE-2017-17485 deserialization flaws. This is exploitable via two different gadgets that bypass a blacklist.
CVSSv3:
  • Base Score: HIGH (8.1)
  • Vector: CVSS:/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.codehaus.jackson:jackson-mapper-asl:1.9.11:*:*:*:*:*:*:*

CVE-2018-7489 (OSSINDEX)  

FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.codehaus.jackson:jackson-mapper-asl:1.9.11:*:*:*:*:*:*:*

CVE-2019-10172  

A flaw was found in org.codehaus.jackson:jackson-mapper-asl:1.9.x libraries. XML external entity vulnerabilities similar CVE-2016-3720 also affects codehaus jackson-mapper-asl libraries but in different classes.
CWE-611 Improper Restriction of XML External Entity Reference ('XXE')

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2019-14540 (OSSINDEX)  

A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariConfig.
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.codehaus.jackson:jackson-mapper-asl:1.9.11:*:*:*:*:*:*:*

CVE-2019-14893 (OSSINDEX)  

A flaw was discovered in FasterXML jackson-databind in all versions before 2.9.10 and 2.10.0, where it would permit polymorphic deserialization of malicious objects using the xalan JNDI gadget when used in conjunction with polymorphic type handling methods such as `enableDefaultTyping()` or when @JsonTypeInfo is using `Id.CLASS` or `Id.MINIMAL_CLASS` or in any other way which ObjectMapper.readValue might instantiate objects from unsafe sources. An attacker could use this flaw to execute arbitrary code.
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.codehaus.jackson:jackson-mapper-asl:1.9.11:*:*:*:*:*:*:*

CVE-2019-16335 (OSSINDEX)  

A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariDataSource. This is a different vulnerability than CVE-2019-14540.
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.codehaus.jackson:jackson-mapper-asl:1.9.11:*:*:*:*:*:*:*

CVE-2019-17267 (OSSINDEX)  

A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup.
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.codehaus.jackson:jackson-mapper-asl:1.9.11:*:*:*:*:*:*:*

jackson-mapper-asl-1.9.13.jar

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.codehaus.jackson/jackson-mapper-asl/1.9.13/1ee2f2bed0e5dd29d1cb155a166e6f8d50bbddb7/jackson-mapper-asl-1.9.13.jar
MD5: 1750f9c339352fc4b728d61b57171613
SHA1: 1ee2f2bed0e5dd29d1cb155a166e6f8d50bbddb7
SHA256:74e7a07a76f2edbade29312a5a2ebccfa019128bc021ece3856d76197e9be0c2
Referenced In Projects/Scopes:
  • piglet:compileClasspath
  • piglet:runtimeClasspath
  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • piglet:default
  • spark:runtimeClasspath

Identifiers

CVE-2017-15095 (OSSINDEX)  

A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously.
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.codehaus.jackson:jackson-mapper-asl:1.9.13:*:*:*:*:*:*:*

CVE-2017-17485 (OSSINDEX)  

FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the Spring libraries are available in the classpath.
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.codehaus.jackson:jackson-mapper-asl:1.9.13:*:*:*:*:*:*:*

CVE-2017-7525 (OSSINDEX)  

A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper.
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.codehaus.jackson:jackson-mapper-asl:1.9.13:*:*:*:*:*:*:*

CVE-2018-1000873 (OSSINDEX)  

Fasterxml Jackson version Before 2.9.8 contains a CWE-20: Improper Input Validation vulnerability in Jackson-Modules-Java8 that can result in Causes a denial-of-service (DoS). This attack appear to be exploitable via The victim deserializes malicious input, specifically very large values in the nanoseconds field of a time value. This vulnerability appears to have been fixed in 2.9.8.
CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.codehaus.jackson:jackson-mapper-asl:1.9.13:*:*:*:*:*:*:*

CVE-2018-14718 (OSSINDEX)  

FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the slf4j-ext class from polymorphic deserialization.
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.codehaus.jackson:jackson-mapper-asl:1.9.13:*:*:*:*:*:*:*

CVE-2018-5968 (OSSINDEX)  

FasterXML jackson-databind through 2.8.11 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 and CVE-2017-17485 deserialization flaws. This is exploitable via two different gadgets that bypass a blacklist.
CVSSv3:
  • Base Score: HIGH (8.1)
  • Vector: CVSS:/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.codehaus.jackson:jackson-mapper-asl:1.9.13:*:*:*:*:*:*:*

CVE-2018-7489 (OSSINDEX)  

FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.codehaus.jackson:jackson-mapper-asl:1.9.13:*:*:*:*:*:*:*

CVE-2019-10172  

A flaw was found in org.codehaus.jackson:jackson-mapper-asl:1.9.x libraries. XML external entity vulnerabilities similar CVE-2016-3720 also affects codehaus jackson-mapper-asl libraries but in different classes.
CWE-611 Improper Restriction of XML External Entity Reference ('XXE')

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2019-14540 (OSSINDEX)  

A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariConfig.
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.codehaus.jackson:jackson-mapper-asl:1.9.13:*:*:*:*:*:*:*

CVE-2019-14893 (OSSINDEX)  

A flaw was discovered in FasterXML jackson-databind in all versions before 2.9.10 and 2.10.0, where it would permit polymorphic deserialization of malicious objects using the xalan JNDI gadget when used in conjunction with polymorphic type handling methods such as `enableDefaultTyping()` or when @JsonTypeInfo is using `Id.CLASS` or `Id.MINIMAL_CLASS` or in any other way which ObjectMapper.readValue might instantiate objects from unsafe sources. An attacker could use this flaw to execute arbitrary code.
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.codehaus.jackson:jackson-mapper-asl:1.9.13:*:*:*:*:*:*:*

CVE-2019-16335 (OSSINDEX)  

A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariDataSource. This is a different vulnerability than CVE-2019-14540.
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.codehaus.jackson:jackson-mapper-asl:1.9.13:*:*:*:*:*:*:*

CVE-2019-17267 (OSSINDEX)  

A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup.
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.codehaus.jackson:jackson-mapper-asl:1.9.13:*:*:*:*:*:*:*

jackson-module-paranamer-2.10.0.jar

Description:

AnnotationIntrospectors that use Paranamer (http://paranamer.codehaus.org)
to introspect names of constructor (and factory method) parameters.
  

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.module/jackson-module-paranamer/2.10.0/4fc4ba10b328a53ac5653cee15504621c6b66083/jackson-module-paranamer-2.10.0.jar
MD5: e3076d5b57027a2ff197335bd3d743d4
SHA1: 4fc4ba10b328a53ac5653cee15504621c6b66083
SHA256:dc9eee4074dd07ee3b1659bd1ace067cc67a0329ddee426b8499ec40226d881f
Referenced In Projects/Scopes:
  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • spark:runtimeClasspath

Identifiers

jackson-module-scala_2.10-2.10.0.jar

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.module/jackson-module-scala_2.10/2.10.0/bb3cc67f3ff6c8a1ebddfdecdc5eeecfd05bec7d/jackson-module-scala_2.10-2.10.0.jar
MD5: f3848d15fb91e5c626c9f0ddeabea57a
SHA1: bb3cc67f3ff6c8a1ebddfdecdc5eeecfd05bec7d
SHA256:cdb14b18f13ec74bf908532f38629d75ba7744ec2255ee5ebc5bd7f76b5fe623
Referenced In Projects/Scopes:

  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • spark:runtimeClasspath

Identifiers

jackson-xc-1.8.3.jar

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.codehaus.jackson/jackson-xc/1.8.3/1226667dcdb7c259b3ee07e112ed83446554516e/jackson-xc-1.8.3.jar
MD5: 0ee32b08580654d69147ecfab0321270
SHA1: 1226667dcdb7c259b3ee07e112ed83446554516e
SHA256:e25789f6d6e0c60c0f46f89d33586190bef23626d9efd3b5d41fe42b45afec96
Referenced In Projects/Scopes:
  • piglet:compileClasspath
  • piglet:runtimeClasspath
  • piglet:default

Identifiers

CVE-2018-7489  

FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.
CWE-502 Deserialization of Untrusted Data, CWE-184 Incomplete Blacklist

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

jackson-xc-1.9.13.jar

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.codehaus.jackson/jackson-xc/1.9.13/e3480072bc95c202476ffa1de99ff7ee9149f29c/jackson-xc-1.9.13.jar
MD5: 49f6a735bae30745dcf5ecec27090720
SHA1: e3480072bc95c202476ffa1de99ff7ee9149f29c
SHA256:2d2905fcec7d1c55b775995617685dbb03672350704d9e40b492eab5b54d0be7
Referenced In Projects/Scopes:
  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • spark:runtimeClasspath

Identifiers

CVE-2018-7489  

FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.
CWE-502 Deserialization of Untrusted Data, CWE-184 Incomplete Blacklist

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

jandex-2.2.3.Final.jar

Description:

Parent POM for JBoss projects. Provides default project build configuration.

License:

Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.jboss/jandex/2.2.3.Final/d3865101f0666b63586683bd811d754517f331ab/jandex-2.2.3.Final.jar
MD5: 721b5868cfbb718dd97facc96929dde8
SHA1: d3865101f0666b63586683bd811d754517f331ab
SHA256:0544d55ec0cb378fd8f3b20e66277f893f3094cb67e71a1ec0cce6ce150f83b3
Referenced In Projects/Scopes:
  • plus:jandexClasspath
  • redis:jandexClasspath
  • splunk:jandexClasspath
  • kafka:jandexClasspath
  • csv:jandexClasspath
  • core:jandexClasspath
  • piglet:jandexClasspath
  • linq4j:jandexClasspath
  • babel:jandexClasspath
  • server:jandexClasspath
  • function:jandexClasspath
  • geode:jandexClasspath
  • mongodb:jandexClasspath
  • ubenchmark:jandexClasspath
  • innodb:jandexClasspath
  • druid:jandexClasspath
  • spark:jandexClasspath
  • pig:jandexClasspath
  • elasticsearch:jandexClasspath
  • cassandra:jandexClasspath
  • file:jandexClasspath

Identifiers

janino-3.0.11.jar

Description:

The "JANINO" implementation of the "commons-compiler" API: Super-small, super-fast, independent from the JDK's "tools.jar".

License:

https://raw.githubusercontent.com/janino-compiler/janino/master/LICENSE
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.codehaus.janino/janino/3.0.11/e699e368095379ba0402ea1780a87fcaea16e68f/janino-3.0.11.jar
MD5: a6e6d343f1a8c5c36b1a0483e7f5fbab
SHA1: e699e368095379ba0402ea1780a87fcaea16e68f
SHA256:9237b71d2329180e59210e9aaa100ee313454ef0ae588608c75cb19319591be1
Referenced In Projects/Scopes:
  • babel:default
  • piglet:runtimeClasspath
  • spark:default
  • splunk:default
  • function:runtimeClasspath
  • kafka:default
  • redis:runtimeClasspath
  • server:runtimeClasspath
  • cassandra:runtimeClasspath
  • druid:default
  • spark:runtimeClasspath
  • core:default
  • babel:runtimeClasspath
  • elasticsearch:runtimeClasspath
  • innodb:default
  • piglet:default
  • pig:default
  • plus:runtimeClasspath
  • function:default
  • csv:default
  • core:implementationDependenciesMetadata
  • kafka:runtimeClasspath
  • splunk:runtimeClasspath
  • core:compileClasspath
  • file:runtimeClasspath
  • innodb:runtimeClasspath
  • calcite:sqllineClasspath
  • core:runtimeClasspath
  • geode:default
  • elasticsearch:default
  • druid:runtimeClasspath
  • mongodb:runtimeClasspath
  • file:default
  • server:default
  • pig:runtimeClasspath
  • mongodb:default
  • redis:default
  • geode:runtimeClasspath
  • csv:runtimeClasspath
  • plus:default
  • cassandra:default

Identifiers

jansi-2.1.0.jar

Description:

Jansi is a java library for generating and interpreting ANSI escape sequences.

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.fusesource.jansi/jansi/2.1.0/605acb1326439709ac32b1bdf7c2606b9ba7fc35/jansi-2.1.0.jar
MD5: 31bc4466e404217ca889f933a5540780
SHA1: 605acb1326439709ac32b1bdf7c2606b9ba7fc35
SHA256:d207c1114741e7544a8f17c07b53d91689c0716c54eaf8f3b7149e73b0ec1b09
Referenced In Project/Scope:calcite:sqllineClasspath

Identifiers

jansi-2.1.0.jar: jansi.dll

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.fusesource.jansi/jansi/2.1.0/605acb1326439709ac32b1bdf7c2606b9ba7fc35/jansi-2.1.0.jar/org/fusesource/jansi/internal/native/Windows/x86/jansi.dll
MD5: e8bf1138582700f9afe059280cd467fb
SHA1: 32d0860dd100696a4d54e88cf85260754c0353d9
SHA256:2125247b103311c1cdcc1a874e1f75708d32c4bfcb8c7509ceb014270391e8d8
Referenced In Project/Scope:calcite:sqllineClasspath

Identifiers

  • None

jansi-2.1.0.jar: jansi.dll

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.fusesource.jansi/jansi/2.1.0/605acb1326439709ac32b1bdf7c2606b9ba7fc35/jansi-2.1.0.jar/org/fusesource/jansi/internal/native/Windows/x86_64/jansi.dll
MD5: 74ff4d3bd330209ea4750ede89796dee
SHA1: 7797b94128e27d3e23f337dcc1f238cc48a26d31
SHA256:2c360d7eb9865c6dd2ad0d6a6cf6dbc06d416d936df0c339697e49655a13cb33
Referenced In Project/Scope:calcite:sqllineClasspath

Identifiers

  • None

jasper-compiler-5.5.12.jar

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/tomcat/jasper-compiler/5.5.12/c594866c64565344c0e7bdc9bf4fee70290c4dd5/jasper-compiler-5.5.12.jar
MD5: 09f7545f0006619925988d0da8f28960
SHA1: c594866c64565344c0e7bdc9bf4fee70290c4dd5
SHA256:57667b14a10f91ced8f6ec38881708b898211fd0faba597c312fd1d1c8c6c0a3
Referenced In Projects/Scopes:

  • piglet:compileClasspath
  • piglet:runtimeClasspath
  • calcite:sqllineClasspath
  • pig:runtimeClasspath
  • piglet:default
  • pig:default
  • pig:compileClasspath

Identifiers

jasper-runtime-5.5.12.jar

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/tomcat/jasper-runtime/5.5.12/f3a50a55414655b9843f5a089923ea83d49dc55e/jasper-runtime-5.5.12.jar
MD5: 00106504f4cb72c3d59f917209cfb6c3
SHA1: f3a50a55414655b9843f5a089923ea83d49dc55e
SHA256:128aa292e50cd956e8c7bbda90b7e220d044097771ed5d62ebbd5d37253ebef4
Referenced In Projects/Scopes:

  • piglet:compileClasspath
  • piglet:runtimeClasspath
  • calcite:sqllineClasspath
  • pig:runtimeClasspath
  • piglet:default
  • pig:default
  • pig:compileClasspath

Identifiers

java-xmlbuilder-0.4.jar

Description:

XML Builder is a utility that creates simple XML documents using relatively sparse Java code

License:

Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/com.jamesmurty.utils/java-xmlbuilder/0.4/ac5962e48cdee3a0a6e1f8e00fcb594747ac5aaf/java-xmlbuilder-0.4.jar
MD5: 0fa474213a6a0282cd9264f6e0dd3658
SHA1: ac5962e48cdee3a0a6e1f8e00fcb594747ac5aaf
SHA256:681e53c4ffd59fa12068803b259e3a83d43f07a47c112e748a187dee179eb31f
Referenced In Projects/Scopes:
  • piglet:compileClasspath
  • piglet:runtimeClasspath
  • piglet:default

Identifiers

java-xmlbuilder-1.0.jar

Description:

XML Builder is a utility that creates simple XML documents using relatively sparse Java code

License:

Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/com.jamesmurty.utils/java-xmlbuilder/1.0/4a6507aa7da3d7db5dd23eedf1185649384c3bc3/java-xmlbuilder-1.0.jar
MD5: 25be2879ad6fd58e5cb834f74be34e08
SHA1: 4a6507aa7da3d7db5dd23eedf1185649384c3bc3
SHA256:a26cb9ba3c57c84864125a584a3b0f437c8d291e33aa900b133c89f55fcf3343
Referenced In Projects/Scopes:
  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • spark:runtimeClasspath

Identifiers

javacc-4.0.jar

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/net.java.dev.javacc/javacc/4.0/55440b393a188c8efa26db43a8292204c15d1dbc/javacc-4.0.jar
MD5: 98f9f2361d61f106a2d65e5d302eefbd
SHA1: 55440b393a188c8efa26db43a8292204c15d1dbc
SHA256:cfbab2d6acdb3764e2bcb5c0842a59f583cb5e8ba2eb5c13a8db98368aadcc2f
Referenced In Projects/Scopes:

  • core:javaccClaspath
  • babel:javaccClaspath
  • piglet:javaccClaspath
  • server:javaccClaspath

Identifiers

javassist-3.18.1-GA.jar

Description:

  	Javassist (JAVA programming ASSISTant) makes Java bytecode manipulation
    simple.  It is a class library for editing bytecodes in Java.
  

License:

MPL 1.1: http://www.mozilla.org/MPL/MPL-1.1.html
LGPL 2.1: http://www.gnu.org/licenses/lgpl-2.1.html
Apache License 2.0: http://www.apache.org/licenses/
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.javassist/javassist/3.18.1-GA/d9a09f7732226af26bf99f19e2cffe0ae219db5b/javassist-3.18.1-GA.jar
MD5: 5bb83868c87334320562af7eded65cc2
SHA1: d9a09f7732226af26bf99f19e2cffe0ae219db5b
SHA256:3fb71231afd098bb0f93f5eb97aa8291c8d0556379125e596f92ec8f944c6162
Referenced In Projects/Scopes:
  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • spark:runtimeClasspath

Identifiers

javax.activation-1.2.0.jar

Description:

JavaBeans Activation Framework

License:

https://github.com/javaee/activation/blob/master/LICENSE.txt
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/com.sun.activation/javax.activation/1.2.0/bf744c1e2776ed1de3c55c8dac1057ec331ef744/javax.activation-1.2.0.jar
MD5: be7c430df50b330cffc4848a3abedbfb
SHA1: bf744c1e2776ed1de3c55c8dac1057ec331ef744
SHA256:993302b16cd7056f21e779cc577d175a810bb4900ef73cd8fbf2b50f928ba9ce
Referenced In Projects/Scopes:
  • calcite:sqllineClasspath
  • geode:default
  • geode:runtimeClasspath

Identifiers

javax.activation-api-1.2.0.jar

Description:

JavaBeans Activation Framework API jar

License:

https://github.com/javaee/activation/blob/master/LICENSE.txt
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/javax.activation/javax.activation-api/1.2.0/85262acf3ca9816f9537ca47d5adeabaead7cb16/javax.activation-api-1.2.0.jar
MD5: 5e50e56bcf4a3ef3bc758f69f7643c3b
SHA1: 85262acf3ca9816f9537ca47d5adeabaead7cb16
SHA256:43fdef0b5b6ceb31b0424b208b930c74ab58fac2ceeb7b3f6fd3aeb8b5ca4393
Referenced In Projects/Scopes:
  • calcite:sqllineClasspath
  • geode:default
  • geode:compileClasspath
  • geode:runtimeClasspath

Identifiers

javax.annotation-api-1.2.jar

Description:

Common Annotations for the JavaTM Platform API

License:

CDDL + GPLv2 with classpath exception: https://glassfish.dev.java.net/nonav/public/CDDL+GPL.html
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/javax.annotation/javax.annotation-api/1.2/479c1e06db31c432330183f5cae684163f186146/javax.annotation-api-1.2.jar
MD5: 75fe320d2b3763bd6883ae1ede35e987
SHA1: 479c1e06db31c432330183f5cae684163f186146
SHA256:5909b396ca3a2be10d0eea32c74ef78d816e1b4ead21de1d78de1f890d033e04
Referenced In Projects/Scopes:
  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • spark:runtimeClasspath

Identifiers

javax.inject-1.jar

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/javax.inject/javax.inject/1/6975da39a7040257bd51d21a231b76c915872d38/javax.inject-1.jar
MD5: 289075e48b909e9e74e6c915b3631d2e
SHA1: 6975da39a7040257bd51d21a231b76c915872d38
SHA256:91c77044a50c481636c32d916fd89c9118a72195390452c81065080f957de7ff
Referenced In Projects/Scopes:

  • calcite:sqllineClasspath
  • plus:compileClasspath
  • spark:default
  • spark:compileClasspath
  • plus:default
  • plus:runtimeClasspath
  • spark:runtimeClasspath

Identifiers

javax.inject-2.4.0-b34.jar

Description:

Injection API (JSR 330) version ${javax.inject.version} repackaged as OSGi bundle

License:

https://glassfish.java.net/nonav/public/CDDL+GPL_1_1.html
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.glassfish.hk2.external/javax.inject/2.4.0-b34/a6a3d4935af7b03e44126b5aac2c2a0ce98fe6e9/javax.inject-2.4.0-b34.jar
MD5: 0299609004955f54207ab8562273b5af
SHA1: a6a3d4935af7b03e44126b5aac2c2a0ce98fe6e9
SHA256:fdbf80a01b854045bd4004b7c6b1fdc2da81db475bfbd08ed574eeffcf9a7b1a
Referenced In Projects/Scopes:
  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • spark:runtimeClasspath

Identifiers

javax.resource-api-1.7.1.jar

Description:

Java EE Connector Architecture API

License:

CDDL + GPLv2 with classpath exception: https://oss.oracle.com/licenses/CDDL+GPL-1.1
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/javax.resource/javax.resource-api/1.7.1/f86b4d697ecd992ec6c4c6053736db16d41dc57f/javax.resource-api-1.7.1.jar
MD5: 41f26638ff807ef37845d6d89ef0e694
SHA1: f86b4d697ecd992ec6c4c6053736db16d41dc57f
SHA256:c75bd698263abd9c8c773e3b433a4da2c983fbc92a0a4ef5fc3286e62f41e411
Referenced In Projects/Scopes:
  • calcite:sqllineClasspath
  • geode:default
  • geode:compileClasspath
  • geode:runtimeClasspath

Identifiers

javax.servlet-api-4.0.1.jar

Description:

Java(TM) Servlet 4.0 API Design Specification

License:

CDDL + GPLv2 with classpath exception: https://oss.oracle.com/licenses/CDDL+GPL-1.1
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/javax.servlet/javax.servlet-api/4.0.1/a27082684a2ff0bf397666c3943496c44541d1ca/javax.servlet-api-4.0.1.jar
MD5: b80414033bf3397de334b95e892a2f44
SHA1: a27082684a2ff0bf397666c3943496c44541d1ca
SHA256:83a03dd877d3674576f0da7b90755c8524af099ccf0607fc61aa971535ad7c60
Referenced In Projects/Scopes:
  • calcite:sqllineClasspath
  • plus:compileClasspath
  • geode:default
  • spark:default
  • spark:compileClasspath
  • geode:runtimeClasspath
  • plus:default
  • plus:runtimeClasspath
  • spark:runtimeClasspath

Identifiers

javax.transaction-api-1.3.jar

Description:

Project GlassFish Java Transaction API

License:

CDDL + GPLv2 with classpath exception: https://github.com/javaee/javax.transaction/blob/master/LICENSE
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/javax.transaction/javax.transaction-api/1.3/e006adf5cf3cca2181d16bd640ecb80148ec0fce/javax.transaction-api-1.3.jar
MD5: 6e9cb1684621821248b6823143ae26c0
SHA1: e006adf5cf3cca2181d16bd640ecb80148ec0fce
SHA256:603df5e4fc1eeae8f5e5d363a8be6c1fa47d0df1df8739a05cbcb9fafd6df2da
Referenced In Projects/Scopes:
  • calcite:sqllineClasspath
  • geode:default
  • geode:compileClasspath
  • geode:runtimeClasspath

Identifiers

javax.ws.rs-api-2.0.1.jar

Description:

Java API for RESTful Web Services (JAX-RS)

License:

CDDL 1.1: http://glassfish.java.net/public/CDDL+GPL_1_1.html
GPL2 w/ CPE: http://glassfish.java.net/public/CDDL+GPL_1_1.html
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/javax.ws.rs/javax.ws.rs-api/2.0.1/104e9c2b5583cfcfeac0402316221648d6d8ea6b/javax.ws.rs-api-2.0.1.jar
MD5: edcd111cf4d3ba8ac8e1f326efc37a17
SHA1: 104e9c2b5583cfcfeac0402316221648d6d8ea6b
SHA256:38607d626f2288d8fbc1b1f8a62c369e63806d9a313ac7cbc5f9d6c94f4b466d
Referenced In Projects/Scopes:
  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • spark:runtimeClasspath

Identifiers

jaxb-api-2.2.2.jar

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/javax.xml.bind/jaxb-api/2.2.2/aeb3021ca93dde265796d82015beecdcff95bf09/jaxb-api-2.2.2.jar
MD5: a415e9a322984be1e1f8a023d09dca5f
SHA1: aeb3021ca93dde265796d82015beecdcff95bf09
SHA256:30233df6215fb982d8784de91d307596748cea98d6d502293c7c3e85c1697137
Referenced In Projects/Scopes:

  • piglet:compileClasspath
  • piglet:runtimeClasspath
  • spark:default
  • spark:compileClasspath
  • piglet:default
  • spark:runtimeClasspath

Identifiers

jaxb-api-2.3.1.jar

Description:

JAXB (JSR 222) API

License:

https://oss.oracle.com/licenses/CDDL+GPL-1.1, https://oss.oracle.com/licenses/CDDL+GPL-1.1
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/javax.xml.bind/jaxb-api/2.3.1/8531ad5ac454cc2deb9d4d32c40c4d7451939b5d/jaxb-api-2.3.1.jar
MD5: bcf270d320f645ad19f5edb60091e87f
SHA1: 8531ad5ac454cc2deb9d4d32c40c4d7451939b5d
SHA256:88b955a0df57880a26a74708bc34f74dcaf8ebf4e78843a28b50eae945732b06
Referenced In Projects/Scopes:
  • calcite:sqllineClasspath
  • geode:default
  • geode:compileClasspath
  • geode:runtimeClasspath

Identifiers

jaxb-impl-2.2.3-1.jar

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/com.sun.xml.bind/jaxb-impl/2.2.3-1/56baae106392040a45a06d4a41099173425da1e6/jaxb-impl-2.2.3-1.jar
MD5: 1b689e7f87caf2615c0f6a47831d0342
SHA1: 56baae106392040a45a06d4a41099173425da1e6
SHA256:fa3e1499b192c310312bf02881274b68394aaea4c9563e6c554cc406ae644ff8
Referenced In Projects/Scopes:

  • piglet:compileClasspath
  • piglet:runtimeClasspath
  • piglet:default

Identifiers

jaxb-impl-2.3.1.jar

Description:

Old JAXB Runtime module. Contains sources required for runtime processing.

License:

http://glassfish.java.net/public/CDDL+GPL_1_1.html
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/com.sun.xml.bind/jaxb-impl/2.3.1/a1a12b85ba1435b4189e065f7dafcc3fb9410d38/jaxb-impl-2.3.1.jar
MD5: adee85f9825b054eaf876b6d659fe147
SHA1: a1a12b85ba1435b4189e065f7dafcc3fb9410d38
SHA256:e6c9e0f1830fd5f7c30c25ecf5e2046c5668b06d304add89d2f027d5072297d0
Referenced In Projects/Scopes:
  • calcite:sqllineClasspath
  • geode:default
  • geode:runtimeClasspath

Identifiers

jaxb-impl-2.3.1.jar (shaded: org.glassfish.jaxb:jaxb-runtime:2.3.1)

Description:

JAXB (JSR 222) Reference Implementation

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/com.sun.xml.bind/jaxb-impl/2.3.1/a1a12b85ba1435b4189e065f7dafcc3fb9410d38/jaxb-impl-2.3.1.jar/META-INF/maven/org.glassfish.jaxb/jaxb-runtime/pom.xml
MD5: 1cb582b3df01ba8710f501a6184b83c0
SHA1: 1856da23a80b9b1374d925d6dcb4a21db2144204
SHA256:f8101b86157fbfc01949ffdc7c59ea71ca23b7ece25f6a79061fe01cb750ff00
Referenced In Projects/Scopes:

  • calcite:sqllineClasspath
  • geode:default
  • geode:runtimeClasspath

Identifiers

jcl-over-slf4j-1.7.16.jar

Description:

JCL 1.1.1 implemented over SLF4J

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.slf4j/jcl-over-slf4j/1.7.16/34e48073884704ac987d3d1a1ab9b60e62028a9/jcl-over-slf4j-1.7.16.jar
MD5: aeb458dc10a619bd32ebc9d399dd64a8
SHA1: 034e48073884704ac987d3d1a1ab9b60e62028a9
SHA256:764d8698e00c08dfbd8f6426ed95619cbf5473327a2a7d3b6bea6b1d987c6547
Referenced In Projects/Scopes:

  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • spark:runtimeClasspath

Identifiers

jedis-3.3.0.jar

Description:

Jedis is a blazingly small and sane Redis java client.

License:

MIT: http://github.com/xetorthio/jedis/raw/master/LICENSE.txt
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/redis.clients/jedis/3.3.0/2ab3fdd2340ce84aa67765a8b8f5af05c45e06fd/jedis-3.3.0.jar
MD5: b3b914c4c4fed2b55b2ac88dfb0a249d
SHA1: 2ab3fdd2340ce84aa67765a8b8f5af05c45e06fd
SHA256:1ee4dfcfdc56fe68b57f0550df180f99deaac1344c17fddfc8ccf0d8b98e832e
Referenced In Projects/Scopes:
  • calcite:sqllineClasspath
  • redis:compileClasspath
  • redis:default
  • redis:runtimeClasspath

Identifiers

jersey-client-2.22.2.jar

Description:

Jersey core client implementation

License:

http://glassfish.java.net/public/CDDL+GPL_1_1.html
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.glassfish.jersey.core/jersey-client/2.22.2/1712fff037ce5a59e3d67f90fff29222989799ee/jersey-client-2.22.2.jar
MD5: 2954068011b278e9eeb81333325114b3
SHA1: 1712fff037ce5a59e3d67f90fff29222989799ee
SHA256:c2229f74968db3d0e676f680a58c1148278def927499f6f2eb1e932aba41fbd5
Referenced In Projects/Scopes:
  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • spark:runtimeClasspath

Identifiers

jersey-common-2.22.2.jar

Description:

Jersey core common packages

License:

http://glassfish.java.net/public/CDDL+GPL_1_1.html
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.glassfish.jersey.core/jersey-common/2.22.2/1209b89878b60ce7d49afadeff7522d2fde0e217/jersey-common-2.22.2.jar
MD5: d855b5f16119a933768c13690c099375
SHA1: 1209b89878b60ce7d49afadeff7522d2fde0e217
SHA256:33c51bda7fe94c27056af05c6b6bb1a0c2968b5bcf09b4c098ccbe953231186d
Referenced In Projects/Scopes:
  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • spark:runtimeClasspath

Identifiers

jersey-container-servlet-2.22.2.jar

Description:

Jersey core Servlet 3.x implementation

License:

http://glassfish.java.net/public/CDDL+GPL_1_1.html
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.glassfish.jersey.containers/jersey-container-servlet/2.22.2/d90487b9809f822af7731abb8896a2183e7c4a0c/jersey-container-servlet-2.22.2.jar
MD5: b2c2437fc6bd593cffdc21fca596eb8f
SHA1: d90487b9809f822af7731abb8896a2183e7c4a0c
SHA256:24567da42f73047d6f302b1bcafc552e8fddf6219f07cc72774eaac4a56d57e7
Referenced In Projects/Scopes:
  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • spark:runtimeClasspath

Identifiers

jersey-container-servlet-core-2.22.2.jar

Description:

Jersey core Servlet 2.x implementation

License:

http://glassfish.java.net/public/CDDL+GPL_1_1.html
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.glassfish.jersey.containers/jersey-container-servlet-core/2.22.2/212c534c5b030594ccf5c4b929e8f7cbf26eb1ba/jersey-container-servlet-core-2.22.2.jar
MD5: a4adb948604d7908ba9e207d3746c171
SHA1: 212c534c5b030594ccf5c4b929e8f7cbf26eb1ba
SHA256:7d5ef749aeafd22f25bf06b479be92201b34e8aa8e9ad4dbee69bbcf4dc1ce07
Referenced In Projects/Scopes:
  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • spark:runtimeClasspath

Identifiers

jersey-core-1.9.jar

Description:

Jersey is the open source (under dual CDDL+GPL license) JAX-RS (JSR 311)        production quality Reference Implementation for building        RESTful Web services.

License:

http://glassfish.java.net/public/CDDL+GPL_1_1.html, http://glassfish.java.net/public/CDDL+GPL_1_1.html
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/com.sun.jersey/jersey-core/1.9/8341846f18187013bb9e27e46b7ee00a6395daf4/jersey-core-1.9.jar
MD5: 73d196595f5e410a37c0a4337350ceb7
SHA1: 8341846f18187013bb9e27e46b7ee00a6395daf4
SHA256:2c6d0ec88fc8c36cb41637d9c00d0698c22cb6b6a137fa526ef782e00d2265bc
Referenced In Projects/Scopes:
  • piglet:compileClasspath
  • piglet:runtimeClasspath
  • calcite:sqllineClasspath
  • piglet:default

Identifiers

jersey-guava-2.22.2.jar

Description:

Jersey Guava Repackaged

License:

http://glassfish.java.net/public/CDDL+GPL_1_1.html
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.glassfish.jersey.bundles.repackaged/jersey-guava/2.22.2/7422c693c89640c9685dfa99dbef2da745aa4617/jersey-guava-2.22.2.jar
MD5: d5da552c520f65980a21e9703f30453c
SHA1: 7422c693c89640c9685dfa99dbef2da745aa4617
SHA256:0fdcc75d025aff4032d3b8be909b5a082913b27d953ad82dd5df2ad29aea636b
Referenced In Projects/Scopes:
  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • spark:runtimeClasspath

Identifiers

jersey-json-1.9.jar

Description:

Jersey is the open source (under dual CDDL+GPL license) JAX-RS (JSR 311)        production quality Reference Implementation for building        RESTful Web services.

License:

http://glassfish.java.net/public/CDDL+GPL_1_1.html, http://glassfish.java.net/public/CDDL+GPL_1_1.html
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/com.sun.jersey/jersey-json/1.9/1aa73e1896bcc7013fed247157d7f676226eb432/jersey-json-1.9.jar
MD5: 17ca6b0d49ed8db159b7827b6defa6b6
SHA1: 1aa73e1896bcc7013fed247157d7f676226eb432
SHA256:cc5d535f43cef0d1c467240961aae35801a837ab010319e741b2c7a6658f3fd6
Referenced In Projects/Scopes:
  • piglet:compileClasspath
  • piglet:runtimeClasspath
  • calcite:sqllineClasspath
  • piglet:default

Identifiers

jersey-media-jaxb-2.22.2.jar

Description:

        JAX-RS features based upon JAX-B.
    

License:

http://glassfish.java.net/public/CDDL+GPL_1_1.html
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.glassfish.jersey.media/jersey-media-jaxb/2.22.2/7a9adf97790a92d09a1f2c027dbd34af15ffee04/jersey-media-jaxb-2.22.2.jar
MD5: 8c868cadfd83b1c7c27a3d7455733293
SHA1: 7a9adf97790a92d09a1f2c027dbd34af15ffee04
SHA256:0a99789dd4f2f24451f7cf423d5682dbef39a34609555f455b73546967b9c225
Referenced In Projects/Scopes:
  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • spark:runtimeClasspath

Identifiers

jersey-server-1.9.jar

Description:

Jersey is the open source (under dual CDDL+GPL license) JAX-RS (JSR 311)        production quality Reference Implementation for building        RESTful Web services.

License:

http://glassfish.java.net/public/CDDL+GPL_1_1.html, http://glassfish.java.net/public/CDDL+GPL_1_1.html
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/com.sun.jersey/jersey-server/1.9/3a6ea7cc5e15c824953f9f3ece2201b634d90d18/jersey-server-1.9.jar
MD5: 0c98f6cca5df8197b310a0d1d89bb34a
SHA1: 3a6ea7cc5e15c824953f9f3ece2201b634d90d18
SHA256:3ded91b198077561bd51f6c0442c9cd70b754d8b31b61afaf448bda9d01848f0
Referenced In Projects/Scopes:
  • piglet:compileClasspath
  • piglet:runtimeClasspath
  • calcite:sqllineClasspath
  • piglet:default

Identifiers

jersey-server-2.22.2.jar

Description:

Jersey core server implementation

License:

http://glassfish.java.net/public/CDDL+GPL_1_1.html
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.glassfish.jersey.core/jersey-server/2.22.2/5ede3e5f98f8b14d31d1d0fffe9908df2bd41c0f/jersey-server-2.22.2.jar
MD5: 62d36194c28af7a49966554af421488f
SHA1: 5ede3e5f98f8b14d31d1d0fffe9908df2bd41c0f
SHA256:8f8649b568d068f053362fa3def56206166dfceb3baa74e9f19eff6f8f8d9f1f
Referenced In Projects/Scopes:
  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • spark:runtimeClasspath

Identifiers

jets3t-0.7.1.jar

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/net.java.dev.jets3t/jets3t/0.7.1/2d10b62398360c674b4039ea4f2d1c697f46f6cd/jets3t-0.7.1.jar
MD5: f170ab1887bf86b5eda9f4f662b5c3ad
SHA1: 2d10b62398360c674b4039ea4f2d1c697f46f6cd
SHA256:cf3c047571471682a7f59df54808a7143d78c6b8f6826809ee95a2f9637b7e60
Referenced In Projects/Scopes:

  • pig:runtimeClasspath
  • pig:default
  • pig:compileClasspath

Identifiers

jets3t-0.9.0.jar

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/net.java.dev.jets3t/jets3t/0.9.0/792bc96ee7e57b89f472aa0cb5a31015b9f59c96/jets3t-0.9.0.jar
MD5: 22559a7c686b19534707228decc3c6d7
SHA1: 792bc96ee7e57b89f472aa0cb5a31015b9f59c96
SHA256:e89893fc754b252af717d7d14accda946f7dfcfc1e293fd3e04725163d661bd7
Referenced In Projects/Scopes:

  • piglet:compileClasspath
  • piglet:runtimeClasspath
  • piglet:default

Identifiers

jets3t-0.9.3.jar

Description:

Toolkit for Amazon S3, Amazon CloudFront, and Google Storage Service.

License:

Apache 2.0: http://www.apache.org/licenses/LICENSE-2.0
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/net.java.dev.jets3t/jets3t/0.9.3/65fbf0c71718078fc7ac1facdbf3cf53afa64abd/jets3t-0.9.3.jar
MD5: e66e1e5756a2e2cb4fc994d78c1340bc
SHA1: 65fbf0c71718078fc7ac1facdbf3cf53afa64abd
SHA256:39b1bef7935ad78a12a444a179f728064d478580e0e82f6301ddbe15ad07fbd9
Referenced In Projects/Scopes:
  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • spark:runtimeClasspath

Identifiers

jettison-1.1.jar

Description:

A StAX implementation for JSON.

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.codehaus.jettison/jettison/1.1/1a01a2a1218fcf9faa2cc2a6ced025bdea687262/jettison-1.1.jar
MD5: fc80e0aabd516c54739262c3d618303a
SHA1: 1a01a2a1218fcf9faa2cc2a6ced025bdea687262
SHA256:377940288b0643c48780137f6f68578937e1ea5ca2b73830a820c50a7b7ed801
Referenced In Projects/Scopes:

  • piglet:compileClasspath
  • piglet:runtimeClasspath
  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • piglet:default
  • spark:runtimeClasspath

Identifiers

jetty-6.1.26.jar

Description:

Jetty server core

License:

http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.php
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.mortbay.jetty/jetty/6.1.26/2f546e289fddd5b1fab1d4199fbb6e9ef43ee4b0/jetty-6.1.26.jar
MD5: 12b65438bbaf225102d0396c21236052
SHA1: 2f546e289fddd5b1fab1d4199fbb6e9ef43ee4b0
SHA256:21091d3a9c1349f640fdc421504a604c040ed89087ecc12afbe32353326ed4e5
Referenced In Projects/Scopes:
  • piglet:compileClasspath
  • piglet:runtimeClasspath
  • calcite:sqllineClasspath
  • pig:runtimeClasspath
  • piglet:default
  • pig:default
  • pig:compileClasspath

Identifiers

CVE-2009-1523  

Directory traversal vulnerability in the HTTP server in Mort Bay Jetty 5.1.14, 6.x before 6.1.17, and 7.x through 7.0.0.M2 allows remote attackers to access arbitrary files via directory traversal sequences in the URI.
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2011-4461  

Jetty 8.1.0.RC2 and earlier computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters.
CWE-310 Cryptographic Issues

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

References:

Vulnerable Software & Versions: (show all)

CVE-2017-7656 (OSSINDEX)  

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.mortbay.jetty:jetty:6.1.26:*:*:*:*:*:*:*

CVE-2017-7657 (OSSINDEX)  

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.mortbay.jetty:jetty:6.1.26:*:*:*:*:*:*:*

CVE-2017-7658 (OSSINDEX)  

In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.mortbay.jetty:jetty:6.1.26:*:*:*:*:*:*:*

CVE-2017-9735 (OSSINDEX)  

Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.mortbay.jetty:jetty:6.1.26:*:*:*:*:*:*:*

CVE-2019-10241 (OSSINDEX)  

In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory contents.
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.mortbay.jetty:jetty:6.1.26:*:*:*:*:*:*:*

CVE-2019-10247 (OSSINDEX)  

In Eclipse Jetty version 7.x, 8.x, 9.2.27 and older, 9.3.26 and older, and 9.4.16 and older, the server running on any OS and Jetty version combination will reveal the configured fully qualified directory base resource location on the output of the 404 error for not finding a Context that matches the requested path. The default server behavior on jetty-distribution and jetty-home will include at the end of the Handler tree a DefaultHandler, which is responsible for reporting this 404 error, it presents the various configured contexts as HTML for users to click through to. This produced HTML includes output that contains the configured fully qualified directory base resource location for each context.
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.mortbay.jetty:jetty:6.1.26:*:*:*:*:*:*:*

CVE-2020-27216 (OSSINDEX)  

In Eclipse Jetty versions 1.0 thru 9.4.32.v20200930, 10.0.0.alpha1 thru 10.0.0.beta2, and 11.0.0.alpha1 thru 11.0.0.beta2O, on Unix like systems, the system's temporary directory is shared between all users on that system. A collocated user can observe the process of creating a temporary sub directory in the shared temporary directory and race to complete the creation of the temporary subdirectory. If the attacker wins the race then they will have read and write permission to the subdirectory used to unpack web applications, including their WEB-INF/lib jar files and JSP files. If any code is ever executed out of this temporary directory, this can lead to a local privilege escalation vulnerability.
CVSSv3:
  • Base Score: HIGH (7.8)
  • Vector: CVSS:/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.mortbay.jetty:jetty:6.1.26:*:*:*:*:*:*:*

jetty-http-9.4.15.v20190215.jar

Description:

Jetty module for Jetty :: Http Utility

License:

http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.php
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-http/9.4.15.v20190215/b6ccda5ec5580914ff2fcbd0b9a7e3327e11ba01/jetty-http-9.4.15.v20190215.jar
MD5: 47751eaffe13cc81aca359adeee6b489
SHA1: b6ccda5ec5580914ff2fcbd0b9a7e3327e11ba01
SHA256:c95711e9759a2bfa43ad5e7eadbbbf86152acba065e38121181bc41596647f9a
Referenced In Projects/Scopes:
  • calcite:sqllineClasspath
  • plus:compileClasspath
  • geode:default
  • spark:default
  • spark:compileClasspath
  • geode:runtimeClasspath
  • plus:default
  • plus:runtimeClasspath
  • spark:runtimeClasspath

Identifiers

CVE-2019-10241  

In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory contents.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2019-10247  

In Eclipse Jetty version 7.x, 8.x, 9.2.27 and older, 9.3.26 and older, and 9.4.16 and older, the server running on any OS and Jetty version combination will reveal the configured fully qualified directory base resource location on the output of the 404 error for not finding a Context that matches the requested path. The default server behavior on jetty-distribution and jetty-home will include at the end of the Handler tree a DefaultHandler, which is responsible for reporting this 404 error, it presents the various configured contexts as HTML for users to click through to. This produced HTML includes output that contains the configured fully qualified directory base resource location for each context.
CWE-200 Information Exposure

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2020-27216  

In Eclipse Jetty versions 1.0 thru 9.4.32.v20200930, 10.0.0.alpha1 thru 10.0.0.beta2, and 11.0.0.alpha1 thru 11.0.0.beta2O, on Unix like systems, the system's temporary directory is shared between all users on that system. A collocated user can observe the process of creating a temporary sub directory in the shared temporary directory and race to complete the creation of the temporary subdirectory. If the attacker wins the race then they will have read and write permission to the subdirectory used to unpack web applications, including their WEB-INF/lib jar files and JSP files. If any code is ever executed out of this temporary directory, this can lead to a local privilege escalation vulnerability.
NVD-CWE-Other

CVSSv2:
  • Base Score: MEDIUM (4.4)
  • Vector: /AV:L/AC:M/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (7.0)
  • Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2020-27218  

In Eclipse Jetty version 9.4.0.RC0 to 9.4.34.v20201102, 10.0.0.alpha0 to 10.0.0.beta2, and 11.0.0.alpha0 to 11.0.0.beta2, if GZIP request body inflation is enabled and requests from different clients are multiplexed onto a single connection, and if an attacker can send a request with a body that is received entirely but not consumed by the application, then a subsequent request on the same connection will see that body prepended to its body. The attacker will not see any data but may inject data into the body of the subsequent request.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: MEDIUM (5.8)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:P
CVSSv3:
  • Base Score: MEDIUM (4.8)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L

References:

Vulnerable Software & Versions: (show all)

CVE-2020-27223  

In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), 10.0.0, and 11.0.0 when Jetty handles a request containing multiple Accept headers with a large number of “quality” (i.e. q) parameters, the server may enter a denial of service (DoS) state due to high CPU usage processing those quality values, resulting in minutes of CPU time exhausted processing those quality values.
CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

References:

Vulnerable Software & Versions: (show all)

CVE-2021-28165  

In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame.
CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

CVSSv2:
  • Base Score: HIGH (7.8)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:C
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

jetty-io-9.4.15.v20190215.jar

Description:

Jetty module for Jetty :: IO Utility

License:

http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.php
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-io/9.4.15.v20190215/e9f3cb0e56ff0bf15c42fd977d220e494e66c61c/jetty-io-9.4.15.v20190215.jar
MD5: 7fb59c495da438962443da48a2f9b958
SHA1: e9f3cb0e56ff0bf15c42fd977d220e494e66c61c
SHA256:6f40f4162739ebf1c89a96165f31598bae4101b264098017af563853af8a662a
Referenced In Projects/Scopes:
  • calcite:sqllineClasspath
  • plus:compileClasspath
  • geode:default
  • spark:default
  • spark:compileClasspath
  • geode:runtimeClasspath
  • plus:default
  • plus:runtimeClasspath
  • spark:runtimeClasspath

Identifiers

CVE-2021-28165 (OSSINDEX)  

In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame.
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.eclipse.jetty:jetty-io:9.4.15.v20190215:*:*:*:*:*:*:*

jetty-security-9.4.15.v20190215.jar

Description:

Jetty security infrastructure

License:

http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.php
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-security/9.4.15.v20190215/bfb074a843d7961111143a193c846040bd089365/jetty-security-9.4.15.v20190215.jar
MD5: 791330b0b59523faf4730911c7f66bb5
SHA1: bfb074a843d7961111143a193c846040bd089365
SHA256:2ae35c6be04d3f47d82fc75e337f6c4cf43ae6e04046cc8b9d6b4b2bb679f507
Referenced In Projects/Scopes:
  • calcite:sqllineClasspath
  • plus:compileClasspath
  • plus:default
  • plus:runtimeClasspath

Identifiers

CVE-2019-10241  

In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory contents.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2019-10247  

In Eclipse Jetty version 7.x, 8.x, 9.2.27 and older, 9.3.26 and older, and 9.4.16 and older, the server running on any OS and Jetty version combination will reveal the configured fully qualified directory base resource location on the output of the 404 error for not finding a Context that matches the requested path. The default server behavior on jetty-distribution and jetty-home will include at the end of the Handler tree a DefaultHandler, which is responsible for reporting this 404 error, it presents the various configured contexts as HTML for users to click through to. This produced HTML includes output that contains the configured fully qualified directory base resource location for each context.
CWE-200 Information Exposure

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2020-27216  

In Eclipse Jetty versions 1.0 thru 9.4.32.v20200930, 10.0.0.alpha1 thru 10.0.0.beta2, and 11.0.0.alpha1 thru 11.0.0.beta2O, on Unix like systems, the system's temporary directory is shared between all users on that system. A collocated user can observe the process of creating a temporary sub directory in the shared temporary directory and race to complete the creation of the temporary subdirectory. If the attacker wins the race then they will have read and write permission to the subdirectory used to unpack web applications, including their WEB-INF/lib jar files and JSP files. If any code is ever executed out of this temporary directory, this can lead to a local privilege escalation vulnerability.
NVD-CWE-Other

CVSSv2:
  • Base Score: MEDIUM (4.4)
  • Vector: /AV:L/AC:M/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (7.0)
  • Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2020-27218  

In Eclipse Jetty version 9.4.0.RC0 to 9.4.34.v20201102, 10.0.0.alpha0 to 10.0.0.beta2, and 11.0.0.alpha0 to 11.0.0.beta2, if GZIP request body inflation is enabled and requests from different clients are multiplexed onto a single connection, and if an attacker can send a request with a body that is received entirely but not consumed by the application, then a subsequent request on the same connection will see that body prepended to its body. The attacker will not see any data but may inject data into the body of the subsequent request.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: MEDIUM (5.8)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:P
CVSSv3:
  • Base Score: MEDIUM (4.8)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L

References:

Vulnerable Software & Versions: (show all)

CVE-2020-27223  

In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), 10.0.0, and 11.0.0 when Jetty handles a request containing multiple Accept headers with a large number of “quality” (i.e. q) parameters, the server may enter a denial of service (DoS) state due to high CPU usage processing those quality values, resulting in minutes of CPU time exhausted processing those quality values.
CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

References:

Vulnerable Software & Versions: (show all)

CVE-2021-28165  

In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame.
CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

CVSSv2:
  • Base Score: HIGH (7.8)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:C
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

jetty-server-9.4.15.v20190215.jar

Description:

The core jetty server artifact.

License:

http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.php
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-server/9.4.15.v20190215/c3c67bd8ec3fe328de9e888e2e619362905a56ab/jetty-server-9.4.15.v20190215.jar
MD5: f406bc827774665a125068cc8dab5e2a
SHA1: c3c67bd8ec3fe328de9e888e2e619362905a56ab
SHA256:7dda78de3ba23e0c9f7599fb295d5d861fe0ada615b856ce345cf2b8f4e5975f
Referenced In Projects/Scopes:
  • calcite:sqllineClasspath
  • plus:compileClasspath
  • geode:default
  • spark:default
  • spark:compileClasspath
  • geode:runtimeClasspath
  • plus:default
  • plus:runtimeClasspath
  • spark:runtimeClasspath

Identifiers

CVE-2019-10241  

In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory contents.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2019-10247  

In Eclipse Jetty version 7.x, 8.x, 9.2.27 and older, 9.3.26 and older, and 9.4.16 and older, the server running on any OS and Jetty version combination will reveal the configured fully qualified directory base resource location on the output of the 404 error for not finding a Context that matches the requested path. The default server behavior on jetty-distribution and jetty-home will include at the end of the Handler tree a DefaultHandler, which is responsible for reporting this 404 error, it presents the various configured contexts as HTML for users to click through to. This produced HTML includes output that contains the configured fully qualified directory base resource location for each context.
CWE-200 Information Exposure

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2020-27216  

In Eclipse Jetty versions 1.0 thru 9.4.32.v20200930, 10.0.0.alpha1 thru 10.0.0.beta2, and 11.0.0.alpha1 thru 11.0.0.beta2O, on Unix like systems, the system's temporary directory is shared between all users on that system. A collocated user can observe the process of creating a temporary sub directory in the shared temporary directory and race to complete the creation of the temporary subdirectory. If the attacker wins the race then they will have read and write permission to the subdirectory used to unpack web applications, including their WEB-INF/lib jar files and JSP files. If any code is ever executed out of this temporary directory, this can lead to a local privilege escalation vulnerability.
NVD-CWE-Other

CVSSv2:
  • Base Score: MEDIUM (4.4)
  • Vector: /AV:L/AC:M/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (7.0)
  • Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2020-27218  

In Eclipse Jetty version 9.4.0.RC0 to 9.4.34.v20201102, 10.0.0.alpha0 to 10.0.0.beta2, and 11.0.0.alpha0 to 11.0.0.beta2, if GZIP request body inflation is enabled and requests from different clients are multiplexed onto a single connection, and if an attacker can send a request with a body that is received entirely but not consumed by the application, then a subsequent request on the same connection will see that body prepended to its body. The attacker will not see any data but may inject data into the body of the subsequent request.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: MEDIUM (5.8)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:P
CVSSv3:
  • Base Score: MEDIUM (4.8)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L

References:

Vulnerable Software & Versions: (show all)

CVE-2020-27223  

In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), 10.0.0, and 11.0.0 when Jetty handles a request containing multiple Accept headers with a large number of “quality” (i.e. q) parameters, the server may enter a denial of service (DoS) state due to high CPU usage processing those quality values, resulting in minutes of CPU time exhausted processing those quality values.
CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

References:

Vulnerable Software & Versions: (show all)

CVE-2021-28165  

In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame.
CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

CVSSv2:
  • Base Score: HIGH (7.8)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:C
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

jetty-sslengine-6.1.26.jar

Description:

Parent pom for Jetty at Codehaus

License:

Apache License Version 2: http://www.apache.org/licenses/LICENSE-2.0
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.mortbay.jetty/jetty-sslengine/6.1.26/60367999cee49a3b09fa86bdcb52310b6c896014/jetty-sslengine-6.1.26.jar
MD5: d3bea45d6939e57fccf450a914fe4e1a
SHA1: 60367999cee49a3b09fa86bdcb52310b6c896014
SHA256:9c5f6bb168ba01b95d250b57f061c8094e1ce9c89ae4e773492bacb17192ea87
Referenced In Projects/Scopes:
  • piglet:compileClasspath
  • piglet:runtimeClasspath
  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • piglet:default
  • spark:runtimeClasspath

Identifiers

CVE-2009-1523  

Directory traversal vulnerability in the HTTP server in Mort Bay Jetty 5.1.14, 6.x before 6.1.17, and 7.x through 7.0.0.M2 allows remote attackers to access arbitrary files via directory traversal sequences in the URI.
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2011-4461  

Jetty 8.1.0.RC2 and earlier computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters.
CWE-310 Cryptographic Issues

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

References:

Vulnerable Software & Versions: (show all)

jetty-util-6.1.26.jar

Description:

Utility classes for Jetty

License:

http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.php
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.mortbay.jetty/jetty-util/6.1.26/e5642fe0399814e1687d55a3862aa5a3417226a9/jetty-util-6.1.26.jar
MD5: 450fedce4f7f8ad3761577b10a664200
SHA1: e5642fe0399814e1687d55a3862aa5a3417226a9
SHA256:9b974ce2b99f48254b76126337dc45b21226f383aaed616f59780adaf167c047
Referenced In Projects/Scopes:
  • piglet:compileClasspath
  • piglet:runtimeClasspath
  • calcite:sqllineClasspath
  • pig:runtimeClasspath
  • spark:default
  • spark:compileClasspath
  • piglet:default
  • pig:default
  • spark:runtimeClasspath
  • pig:compileClasspath

Identifiers

CVE-2009-1523  

Directory traversal vulnerability in the HTTP server in Mort Bay Jetty 5.1.14, 6.x before 6.1.17, and 7.x through 7.0.0.M2 allows remote attackers to access arbitrary files via directory traversal sequences in the URI.
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2011-4461  

Jetty 8.1.0.RC2 and earlier computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters.
CWE-310 Cryptographic Issues

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

References:

Vulnerable Software & Versions: (show all)

jetty-util-9.4.15.v20190215.jar

Description:

Utility classes for Jetty

License:

http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.php
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-util/9.4.15.v20190215/842cb29911d32c18c9e6fa377cabfbc4685f4bb2/jetty-util-9.4.15.v20190215.jar
MD5: 986499cd8b571c3ddc229e972f260602
SHA1: 842cb29911d32c18c9e6fa377cabfbc4685f4bb2
SHA256:f3deed4141b4595971f504f6b516e7302f307032bc45403a720213e46ca87464
Referenced In Projects/Scopes:
  • calcite:sqllineClasspath
  • plus:compileClasspath
  • geode:default
  • spark:default
  • spark:compileClasspath
  • geode:runtimeClasspath
  • plus:default
  • plus:runtimeClasspath
  • spark:runtimeClasspath

Identifiers

CVE-2019-10241  

In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory contents.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2019-10247  

In Eclipse Jetty version 7.x, 8.x, 9.2.27 and older, 9.3.26 and older, and 9.4.16 and older, the server running on any OS and Jetty version combination will reveal the configured fully qualified directory base resource location on the output of the 404 error for not finding a Context that matches the requested path. The default server behavior on jetty-distribution and jetty-home will include at the end of the Handler tree a DefaultHandler, which is responsible for reporting this 404 error, it presents the various configured contexts as HTML for users to click through to. This produced HTML includes output that contains the configured fully qualified directory base resource location for each context.
CWE-200 Information Exposure

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2020-27216  

In Eclipse Jetty versions 1.0 thru 9.4.32.v20200930, 10.0.0.alpha1 thru 10.0.0.beta2, and 11.0.0.alpha1 thru 11.0.0.beta2O, on Unix like systems, the system's temporary directory is shared between all users on that system. A collocated user can observe the process of creating a temporary sub directory in the shared temporary directory and race to complete the creation of the temporary subdirectory. If the attacker wins the race then they will have read and write permission to the subdirectory used to unpack web applications, including their WEB-INF/lib jar files and JSP files. If any code is ever executed out of this temporary directory, this can lead to a local privilege escalation vulnerability.
NVD-CWE-Other

CVSSv2:
  • Base Score: MEDIUM (4.4)
  • Vector: /AV:L/AC:M/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (7.0)
  • Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2020-27218  

In Eclipse Jetty version 9.4.0.RC0 to 9.4.34.v20201102, 10.0.0.alpha0 to 10.0.0.beta2, and 11.0.0.alpha0 to 11.0.0.beta2, if GZIP request body inflation is enabled and requests from different clients are multiplexed onto a single connection, and if an attacker can send a request with a body that is received entirely but not consumed by the application, then a subsequent request on the same connection will see that body prepended to its body. The attacker will not see any data but may inject data into the body of the subsequent request.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: MEDIUM (5.8)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:P
CVSSv3:
  • Base Score: MEDIUM (4.8)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L

References:

Vulnerable Software & Versions: (show all)

CVE-2020-27223  

In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), 10.0.0, and 11.0.0 when Jetty handles a request containing multiple Accept headers with a large number of “quality” (i.e. q) parameters, the server may enter a denial of service (DoS) state due to high CPU usage processing those quality values, resulting in minutes of CPU time exhausted processing those quality values.
CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

References:

Vulnerable Software & Versions: (show all)

CVE-2021-28165  

In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame.
CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

CVSSv2:
  • Base Score: HIGH (7.8)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:C
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

jffi-1.2.16-native.jar

Description:

Java Foreign Function Interface - Native Libraries

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/com.github.jnr/jffi/1.2.16/3c1f0edf2df2c6e0419d60d0baa59659211624cb/jffi-1.2.16-native.jar
MD5: 5750b1111e4fdb7445bc08b5e74a2fd8
SHA1: 3c1f0edf2df2c6e0419d60d0baa59659211624cb
SHA256:ef78953e3dbf47fab94469190bc2a6d601566a21d4651f73c822bad1c02b64fe
Referenced In Projects/Scopes:
  • calcite:sqllineClasspath
  • cassandra:runtimeClasspath
  • cassandra:default

Identifiers

jffi-1.2.16-native.jar: jffi-1.2.dll

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/com.github.jnr/jffi/1.2.16/3c1f0edf2df2c6e0419d60d0baa59659211624cb/jffi-1.2.16-native.jar/jni/x86_64-Windows/jffi-1.2.dll
MD5: 5d80b61c1f9e31860c17b3a410948e7e
SHA1: 5ca292116336ee4ceed00d10e756afea580e62cf
SHA256:58398ba5cda1b7cb89ad4e03dd4a658006956f81acfef4efb4e7dd934e2733ef
Referenced In Projects/Scopes:

  • calcite:sqllineClasspath
  • cassandra:runtimeClasspath
  • cassandra:default

Identifiers

  • None

jffi-1.2.16-native.jar: jffi-1.2.dll

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/com.github.jnr/jffi/1.2.16/3c1f0edf2df2c6e0419d60d0baa59659211624cb/jffi-1.2.16-native.jar/jni/i386-Windows/jffi-1.2.dll
MD5: 841e60814ed6b2971a47b267aef1c58a
SHA1: 07d30c6407fefad8df4b6afc4d85f83e547975ca
SHA256:d63b0ec9a7cc75c26fa951928bf550c0e9a5e6c195a3de94a9c24995206bbfd2
Referenced In Projects/Scopes:

  • calcite:sqllineClasspath
  • cassandra:runtimeClasspath
  • cassandra:default

Identifiers

  • None

jffi-1.2.16.jar

Description:

Java Foreign Function Interface

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/com.github.jnr/jffi/1.2.16/5c1149dfcc9a16f85c8d9b8797f03806667cb9f1/jffi-1.2.16.jar
MD5: 90fc8c0b31df29ef4d595c68a9d46de9
SHA1: 5c1149dfcc9a16f85c8d9b8797f03806667cb9f1
SHA256:7a616bb7dc6e10531a28a098078f8184df9b008d5231bdc5f1c131839385335f
Referenced In Projects/Scopes:
  • cassandra:compileClasspath
  • calcite:sqllineClasspath
  • cassandra:runtimeClasspath
  • cassandra:default

Identifiers

jgroups-3.6.14.Final.jar

Description:

        Reliable cluster communication toolkit
    

License:

Apache License 2.0: http://www.apache.org/licenses/LICENSE-2.0.html
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.jgroups/jgroups/3.6.14.Final/ee11e0645462b6937625f56f42bf5e853673168/jgroups-3.6.14.Final.jar
MD5: 524fb17e62dbebe166cf96434fc835c8
SHA1: 0ee11e0645462b6937625f56f42bf5e853673168
SHA256:7fc7cbd06ac8673d77aae5215bb90605bbd1ec6d9156e22b26844d9d317e0056
Referenced In Projects/Scopes:
  • calcite:sqllineClasspath
  • geode:default
  • geode:runtimeClasspath

Identifiers

CWE-300: Channel Accessible by Non-Endpoint ('Man-in-the-Middle') (OSSINDEX)  

The product does not adequately verify the identity of actors at both ends of a communication channel, or does not adequately ensure the integrity of the channel, in a way that allows the channel to be accessed or influenced by an actor that is not an endpoint.
CWE-300 Channel Accessible by Non-Endpoint ('Man-in-the-Middle')

CVSSv3:
  • Base Score: HIGH (7.4)
  • Vector: CVSS:/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.jgroups:jgroups:3.6.14.Final:*:*:*:*:*:*:*

jline-0.9.94.jar

Description:

JLine is a java library for reading and editing user input in console applications. It features tab-completion, command history, password masking, customizable keybindings, and pass-through handlers to use to chain to other console applications.

License:

BSD: LICENSE.txt
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/jline/jline/0.9.94/99a18e9a44834afdebc467294e1138364c207402/jline-0.9.94.jar
MD5: 46235c960277206f00fe24714437bc89
SHA1: 99a18e9a44834afdebc467294e1138364c207402
SHA256:d8df0ffb12d87ca876271cda4d59b3feb94123882c1be1763b7faf2e0a0b0cbb
Referenced In Projects/Scopes:
  • spark:default
  • spark:compileClasspath
  • spark:runtimeClasspath

Identifiers

jline-0.9.94.jar: jline32.dll

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/jline/jline/0.9.94/99a18e9a44834afdebc467294e1138364c207402/jline-0.9.94.jar/jline/jline32.dll
MD5: b3d9a08ff70440ba3638a325512f2cd8
SHA1: 67a55d8f8ca4937d784d4334e554770adc2a1079
SHA256:3ddb21ed441296861413cfd109c61f12626ecc66ece659754b621d295fe9b23c
Referenced In Projects/Scopes:

  • piglet:compileClasspath
  • piglet:runtimeClasspath
  • spark:default
  • pig:runtimeClasspath
  • spark:compileClasspath
  • piglet:default
  • pig:default
  • spark:runtimeClasspath
  • pig:compileClasspath

Identifiers

  • None

jline-0.9.94.jar: jline64.dll

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/jline/jline/0.9.94/99a18e9a44834afdebc467294e1138364c207402/jline-0.9.94.jar/jline/jline64.dll
MD5: d2f7b0db1231aac1846a857f5c0c4f2c
SHA1: e297e4e990ce820e64d41f3f27b9be90283f3f96
SHA256:f496874c86992b7436962451e05d1ffc9ca32ab64ce819501c42d807670e376e
Referenced In Projects/Scopes:

  • piglet:compileClasspath
  • piglet:runtimeClasspath
  • spark:default
  • pig:runtimeClasspath
  • spark:compileClasspath
  • piglet:default
  • pig:default
  • spark:runtimeClasspath
  • pig:compileClasspath

Identifiers

  • None

jline-1.0.jar

Description:

JLine is a java library for reading and editing user input in console applications. It features
        tab-completion, command history, password masking, customizable keybindings, and pass-through handlers to use to
        chain to other console applications.
    

License:

BSD: LICENSE.txt
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/jline/jline/1.0/e8f2d4690059d42a8f0f29195884a72a82ce4bb7/jline-1.0.jar
MD5: d6b1adf9b0fb4607362385ef6c3371dd
SHA1: e8f2d4690059d42a8f0f29195884a72a82ce4bb7
SHA256:b0d884980fab1df2f948c568f576c365f3379dc8bc930272fa508843d1f3652b
Referenced In Projects/Scopes:
  • piglet:compileClasspath
  • piglet:runtimeClasspath
  • pig:runtimeClasspath
  • piglet:default
  • pig:default
  • pig:compileClasspath

Identifiers

jline-2.12.jar

License:

The BSD License: http://www.opensource.org/licenses/bsd-license.php
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/jline/jline/2.12/ce9062c6a125e0f9ad766032573c041ae8ecc986/jline-2.12.jar
MD5: 391c352dda90e0e16aa129286d72f2c7
SHA1: ce9062c6a125e0f9ad766032573c041ae8ecc986
SHA256:d34b45c8ca4359c65ae61e406339022e4731c739bc3448ce3999a60440baaa72
Referenced In Projects/Scopes:
  • calcite:sqllineClasspath
  • geode:default
  • geode:compileClasspath
  • geode:runtimeClasspath

Identifiers

jline-2.12.jar: jansi.dll

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/jline/jline/2.12/ce9062c6a125e0f9ad766032573c041ae8ecc986/jline-2.12.jar/META-INF/native/windows32/jansi.dll
MD5: 1e56641bb68937f8e2020cbff5d04a08
SHA1: 97f6e12599bb5848867b9762184d055ed918ab2a
SHA256:0f59ff32a7c70e00a580d893de42ffaf48d0242b4d6251792666919b10ac3cd4
Referenced In Projects/Scopes:

  • calcite:sqllineClasspath
  • geode:default
  • geode:compileClasspath
  • geode:runtimeClasspath

Identifiers

  • None

jline-2.12.jar: jansi.dll

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/jline/jline/2.12/ce9062c6a125e0f9ad766032573c041ae8ecc986/jline-2.12.jar/META-INF/native/windows64/jansi.dll
MD5: fd3a20891286c958103f3ea07174cd3c
SHA1: 829195c9e338d5725cf304ae33fc209db53884eb
SHA256:c33505a7c1fb847c03329a4f0e4b3c5cebac3a3604133d797d09172de25e3978
Referenced In Projects/Scopes:

  • calcite:sqllineClasspath
  • geode:default
  • geode:compileClasspath
  • geode:runtimeClasspath

Identifiers

  • None

jline-builtins-3.18.0.jar

Description:

JLine

License:

https://opensource.org/licenses/BSD-3-Clause
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.jline/jline-builtins/3.18.0/5bcc0b4704168c5ea59194039477b7d5f5445260/jline-builtins-3.18.0.jar
MD5: 2f0ea1aaca354040ef11f6753e1cfd62
SHA1: 5bcc0b4704168c5ea59194039477b7d5f5445260
SHA256:4adc5f75aec9aec75c86ab56bcac21f3eb5535a8e0826ca40af27bfe075aa33f
Referenced In Project/Scope:calcite:sqllineClasspath

Identifiers

jline-console-3.18.0.jar

Description:

JLine

License:

https://opensource.org/licenses/BSD-3-Clause
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.jline/jline-console/3.18.0/4910d30ecb98fb56e3546e3ea9a672a1b7d77bf/jline-console-3.18.0.jar
MD5: 006f805401261896c3ed414385a85882
SHA1: 04910d30ecb98fb56e3546e3ea9a672a1b7d77bf
SHA256:288b04e3be5a2963a9b8f963cad63301a61b2484e72317d5e7c34f26537313db
Referenced In Project/Scope:calcite:sqllineClasspath

Identifiers

jline-reader-3.18.0.jar

Description:

JLine

License:

https://opensource.org/licenses/BSD-3-Clause
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.jline/jline-reader/3.18.0/792de4515e58ec2a2dbbb32bc3b0b20202261899/jline-reader-3.18.0.jar
MD5: 9b4cdc815d2ba221e53b885c83db6242
SHA1: 792de4515e58ec2a2dbbb32bc3b0b20202261899
SHA256:04b782f8c34731adc4cbca8131b28f0d41b4f14da7f04c57ffdd11f48a2af730
Referenced In Project/Scope:calcite:sqllineClasspath

Identifiers

jline-style-3.18.0.jar

Description:

JLine

License:

https://opensource.org/licenses/BSD-3-Clause
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.jline/jline-style/3.18.0/4f65fef540e3f90d8781a22aecb306e6e7ea49f6/jline-style-3.18.0.jar
MD5: 00b939bb117a59c4f9acd7713ee51c41
SHA1: 4f65fef540e3f90d8781a22aecb306e6e7ea49f6
SHA256:29b9792c7d133ce31dd09258cb128002cb107797caebe16697bba0938de0640f
Referenced In Project/Scope:calcite:sqllineClasspath

Identifiers

jline-terminal-3.18.0.jar

Description:

JLine

License:

https://opensource.org/licenses/BSD-3-Clause
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.jline/jline-terminal/3.18.0/c6f4fd607701654de95f1f2a6dcc2360a9554404/jline-terminal-3.18.0.jar
MD5: e302c3831adbdb0dd73ccd35cdf6919d
SHA1: c6f4fd607701654de95f1f2a6dcc2360a9554404
SHA256:4912c47936aabe366d84ae64ba84c2d0830beb6504a95469326f69a63f361228
Referenced In Project/Scope:calcite:sqllineClasspath

Identifiers

jline-terminal-jansi-3.18.0.jar

Description:

JLine

License:

https://opensource.org/licenses/BSD-3-Clause
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.jline/jline-terminal-jansi/3.18.0/d24cfab8009e61152f1d666c53696162260c79eb/jline-terminal-jansi-3.18.0.jar
MD5: 2a0ae6101c81ee99140d52126d2f9cd6
SHA1: d24cfab8009e61152f1d666c53696162260c79eb
SHA256:8baa49dc3d7243f74b1bf6e039c61399e0ebed01d90f4ae2eaa1c8b47bd4e848
Referenced In Project/Scope:calcite:sqllineClasspath

Identifiers

jline-terminal-jna-3.18.0.jar

Description:

JLine

License:

https://opensource.org/licenses/BSD-3-Clause
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.jline/jline-terminal-jna/3.18.0/cf78f3608b5ff8abdb2039b421bb47579338c740/jline-terminal-jna-3.18.0.jar
MD5: 385b17c39b2955cec90446c7991407fc
SHA1: cf78f3608b5ff8abdb2039b421bb47579338c740
SHA256:8b87fd50724de7ebd749882cc895a6be25330b482df4d799a8761b65cc26fdb4
Referenced In Project/Scope:calcite:sqllineClasspath

Identifiers

jmh-core-1.21.jar

Description:

        The jmh is a Java harness for building, running, and analysing
        nano/micro/macro benchmarks written in Java and other languages
        targeting the JVM.
    

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.openjdk.jmh/jmh-core/1.21/442447101f63074c61063858033fbfde8a076873/jmh-core-1.21.jar
MD5: 87fe00275cdaa76a31f73906fc8ee9d7
SHA1: 442447101f63074c61063858033fbfde8a076873
SHA256:79aecd73ffb5d95d88b1ac36b505fa30ae3e83788e936838e2be9a51074fd2dd
Referenced In Projects/Scopes:

  • ubenchmark:jmhCompileClasspath
  • ubenchmark:jmh

Identifiers

jmh-generator-annprocess-1.12.jar

Description:

        JMH benchmark generator, based on annotation processors.
    

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.openjdk.jmh/jmh-generator-annprocess/1.12/9ad5888fdd36dd4b12bce5883069d9d82562ab6c/jmh-generator-annprocess-1.12.jar
MD5: d53f3168f15f61ee3a2f36ec06607af6
SHA1: 9ad5888fdd36dd4b12bce5883069d9d82562ab6c
SHA256:1739e5c97e8d7c9ed8dca96a7a97491a3a850dd37e9a8d315e0dfe7a1d9dafb9
Referenced In Project/Scope:ubenchmark:jmhCompileClasspath

Identifiers

jmh-generator-asm-1.21.jar

Description:

        JMH benchmark generator, based on ASM bytecode manipulation.
    

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.openjdk.jmh/jmh-generator-asm/1.21/670ffd88255faf81ad294f0d8a9eba0292f5a554/jmh-generator-asm-1.21.jar
MD5: 7699014393f3a0b92e19e86dfa26923b
SHA1: 670ffd88255faf81ad294f0d8a9eba0292f5a554
SHA256:f6757d41c0c99d0f463d0bea726ca3f9fae2713d577f3935e8ceb2b8635f8e0b
Referenced In Projects/Scopes:

  • ubenchmark:jmhCompileClasspath
  • ubenchmark:jmh

Identifiers

jmh-generator-bytecode-1.21.jar

Description:

        JMH benchmark generator, based on bytecode inspection.
    

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.openjdk.jmh/jmh-generator-bytecode/1.21/6a52cbbd7f5e2cf7a0163984241750cdd6cb1257/jmh-generator-bytecode-1.21.jar
MD5: 1675c247a3cd60c6ed72ad6f316c9581
SHA1: 6a52cbbd7f5e2cf7a0163984241750cdd6cb1257
SHA256:db4b0577f0a6413dc1299872c104518a54a3280abe486de7ec01003baf5ba018
Referenced In Projects/Scopes:

  • ubenchmark:jmhCompileClasspath
  • ubenchmark:jmh

Identifiers

jmh-generator-reflection-1.21.jar

Description:

        JMH benchmark generator, based on reflection.
    

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.openjdk.jmh/jmh-generator-reflection/1.21/ed5a2bdca04daafac41c53cf82c3b9733fd91e89/jmh-generator-reflection-1.21.jar
MD5: e27b8bbb4cbd1846a0480648b8b38cee
SHA1: ed5a2bdca04daafac41c53cf82c3b9733fd91e89
SHA256:80309a00b3afcf65d238603e66d60203280a6699de8867d16b4571c420a707bd
Referenced In Projects/Scopes:

  • ubenchmark:jmhCompileClasspath
  • ubenchmark:jmh

Identifiers

jna-5.5.0.jar

Description:

JNA Library

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/net.java.dev.jna/jna/5.5.0/e0845217c4907822403912ad6828d8e0b256208/jna-5.5.0.jar
MD5: acfb5b5fd9ee10bf69497792fd469f85
SHA1: 0e0845217c4907822403912ad6828d8e0b256208
SHA256:b308faebfe4ed409de8410e0a632d164b2126b035f6eacff968d3908cafb4d9e
Referenced In Projects/Scopes:

  • calcite:sqllineClasspath
  • geode:default
  • geode:runtimeClasspath

Identifiers

jna-5.5.0.jar: jnidispatch.dll

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/net.java.dev.jna/jna/5.5.0/e0845217c4907822403912ad6828d8e0b256208/jna-5.5.0.jar/com/sun/jna/win32-x86-64/jnidispatch.dll
MD5: e02979ecd43bcc9061eb2b494ab5af50
SHA1: 3122ac0e751660f646c73b10c4f79685aa65c545
SHA256:a66959bec2ef5af730198db9f3b3f7cab0d4ae70ce01bec02bf1d738e6d1ee7a
Referenced In Projects/Scopes:

  • calcite:sqllineClasspath
  • geode:default
  • geode:runtimeClasspath

Identifiers

  • None

jna-5.5.0.jar: jnidispatch.dll

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/net.java.dev.jna/jna/5.5.0/e0845217c4907822403912ad6828d8e0b256208/jna-5.5.0.jar/com/sun/jna/win32-x86/jnidispatch.dll
MD5: 28d895a3cb7e9a0b6a5ae5ed6a62b254
SHA1: 703d8604a8d04d29c52c0ebcde1e86f3bc8ff824
SHA256:04c9a8ab43d1eb616b84d0686c8ae1d881ef03fe4f3aa26511e5b19d35ef16af
Referenced In Projects/Scopes:

  • calcite:sqllineClasspath
  • geode:default
  • geode:runtimeClasspath

Identifiers

  • None

jnr-constants-0.9.9.jar

Description:

A set of platform constants (e.g. errno values)

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/com.github.jnr/jnr-constants/0.9.9/33f23994e09aeb49880aa01e12e8e9eff058c14c/jnr-constants-0.9.9.jar
MD5: dda134f02497e1613fc0dd2d29bae42f
SHA1: 33f23994e09aeb49880aa01e12e8e9eff058c14c
SHA256:6862e69646fb726684d8610bc5a65740feab5f235d8d1dc7596113bd1ad54181
Referenced In Projects/Scopes:
  • cassandra:compileClasspath
  • calcite:sqllineClasspath
  • cassandra:runtimeClasspath
  • cassandra:default

Identifiers

jnr-ffi-2.1.7.jar

Description:

A library for invoking native functions from java

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/com.github.jnr/jnr-ffi/2.1.7/31a7391a212069303935a1df29566b7372d3ef9f/jnr-ffi-2.1.7.jar
MD5: 5c1ea66275918665f1d6827fe2db5f87
SHA1: 31a7391a212069303935a1df29566b7372d3ef9f
SHA256:2ed1bedf59935cd3cc0964bac5cd91638b2e966a82041fe0a6c85f52279c9b34
Referenced In Projects/Scopes:
  • cassandra:compileClasspath
  • calcite:sqllineClasspath
  • cassandra:runtimeClasspath
  • cassandra:default

Identifiers

jnr-posix-3.0.44.jar

Description:

    Common cross-project/cross-platform POSIX APIs
  

License:

Common Public License - v 1.0: http://www-128.ibm.com/developerworks/library/os-cpl.html
GNU General Public License Version 2: http://www.gnu.org/copyleft/gpl.html
GNU Lesser General Public License Version 2.1: http://www.gnu.org/licenses/lgpl.html
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/com.github.jnr/jnr-posix/3.0.44/1f8e4551454e613c04f6d4045ed9d5b98e21980f/jnr-posix-3.0.44.jar
MD5: 6e9121b8c504de94e34499570ed189c2
SHA1: 1f8e4551454e613c04f6d4045ed9d5b98e21980f
SHA256:8442c39b21a82eab9f07039ddd5caeb1707247e1bf45c2abf3150869393ce182
Referenced In Projects/Scopes:
  • cassandra:compileClasspath
  • calcite:sqllineClasspath
  • cassandra:runtimeClasspath
  • cassandra:default

Identifiers

jnr-x86asm-1.0.2.jar

Description:

A pure-java X86 and X86_64 assembler

License:

MIT License: http://www.opensource.org/licenses/mit-license.php
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/com.github.jnr/jnr-x86asm/1.0.2/6936bbd6c5b235665d87bd450f5e13b52d4b48/jnr-x86asm-1.0.2.jar
MD5: 00670735acb2a9d1421b506dc7d338bc
SHA1: 006936bbd6c5b235665d87bd450f5e13b52d4b48
SHA256:39f3675b910e6e9b93825f8284bec9f4ad3044cd20a6f7c8ff9e2f8695ebf21e
Referenced In Projects/Scopes:
  • cassandra:compileClasspath
  • calcite:sqllineClasspath
  • cassandra:runtimeClasspath
  • cassandra:default

Identifiers

joda-time-2.8.1.jar

Description:

Date and time library to replace JDK date handling

License:

Apache 2: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/joda-time/joda-time/2.8.1/f5bfc718c95a7b1d3c371bb02a188a4df18361a9/joda-time-2.8.1.jar
MD5: c23002a0fac3455e92551e7f24500fa4
SHA1: f5bfc718c95a7b1d3c371bb02a188a4df18361a9
SHA256:b4670b95f75957c974284c5f3ada966040be2578f643c5c6083d262162061fa2
Referenced In Projects/Scopes:
  • piglet:compileClasspath
  • druid:compileClasspath
  • piglet:runtimeClasspath
  • calcite:sqllineClasspath
  • pig:runtimeClasspath
  • druid:runtimeClasspath
  • piglet:default
  • druid:default
  • pig:default
  • pig:compileClasspath

Identifiers

jopt-simple-4.6.jar

Description:

A Java library for parsing command line options

License:

The MIT License: http://www.opensource.org/licenses/mit-license.php
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/net.sf.jopt-simple/jopt-simple/4.6/306816fb57cf94f108a43c95731b08934dcae15c/jopt-simple-4.6.jar
MD5: 13560a58a79b46b82057686543e8d727
SHA1: 306816fb57cf94f108a43c95731b08934dcae15c
SHA256:3fcfbe3203c2ea521bf7640484fd35d6303186ea2e08e72f032d640ca067ffda
Referenced In Projects/Scopes:
  • ubenchmark:jmhCompileClasspath
  • ubenchmark:jmh

Identifiers

jopt-simple-5.0.4.jar

Description:

A Java library for parsing command line options

License:

The MIT License: http://www.opensource.org/licenses/mit-license.php
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/net.sf.jopt-simple/jopt-simple/5.0.4/4fdac2fbe92dfad86aa6e9301736f6b4342a3f5c/jopt-simple-5.0.4.jar
MD5: eb0d9dffe9b0eddead68fe678be76c49
SHA1: 4fdac2fbe92dfad86aa6e9301736f6b4342a3f5c
SHA256:df26cc58f235f477db07f753ba5a3ab243ebe5789d9f89ecf68dd62ea9a66c28
Referenced In Projects/Scopes:
  • calcite:sqllineClasspath
  • geode:default
  • geode:runtimeClasspath

Identifiers

jsch-0.1.54.jar

Description:

JSch is a pure Java implementation of SSH2

License:

Revised BSD: http://www.jcraft.com/jsch/LICENSE.txt
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/com.jcraft/jsch/0.1.54/da3584329a263616e277e15462b387addd1b208d/jsch-0.1.54.jar
MD5: 56a6c6fc5819e21c665355b39b9097d8
SHA1: da3584329a263616e277e15462b387addd1b208d
SHA256:92eb273a3316762478fdd4fe03a0ce1842c56f496c9c12fe1235db80450e1fdb
Referenced In Projects/Scopes:
  • piglet:compileClasspath
  • piglet:runtimeClasspath
  • calcite:sqllineClasspath
  • piglet:default

Identifiers

json-path-2.4.0.jar

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/com.jayway.jsonpath/json-path/2.4.0/765a4401ceb2dc8d40553c2075eb80a8fa35c2ae/json-path-2.4.0.jar
MD5: 29169b4b1115bc851e5734ef35ecd42a
SHA1: 765a4401ceb2dc8d40553c2075eb80a8fa35c2ae
SHA256:60441c74fb64e5a480070f86a604941927aaf684e2b513d780fb7a38fb4c5639
Referenced In Projects/Scopes:

  • babel:default
  • piglet:runtimeClasspath
  • spark:default
  • splunk:default
  • function:runtimeClasspath
  • kafka:default
  • redis:runtimeClasspath
  • server:runtimeClasspath
  • cassandra:runtimeClasspath
  • druid:default
  • spark:runtimeClasspath
  • core:default
  • babel:runtimeClasspath
  • elasticsearch:runtimeClasspath
  • innodb:default
  • piglet:default
  • pig:default
  • plus:runtimeClasspath
  • function:default
  • csv:default
  • core:implementationDependenciesMetadata
  • kafka:runtimeClasspath
  • splunk:runtimeClasspath
  • core:compileClasspath
  • file:runtimeClasspath
  • innodb:runtimeClasspath
  • calcite:sqllineClasspath
  • core:runtimeClasspath
  • geode:default
  • elasticsearch:default
  • druid:runtimeClasspath
  • mongodb:runtimeClasspath
  • file:default
  • server:default
  • pig:runtimeClasspath
  • mongodb:default
  • redis:default
  • geode:runtimeClasspath
  • csv:runtimeClasspath
  • plus:default
  • cassandra:default

Identifiers

json-smart-2.3.jar

Description:

        JSON (JavaScript Object Notation) is a lightweight data-interchange format. It is easy for humans to read and write. It is easy for machines to parse and generate. It is based on a subset of the JavaScript Programming Language, Standard ECMA-262 3rd Edition - December 1999. JSON is a text format that is completely language independent but uses conventions that are familiar to programmers of the C-family of languages, including C, C++, C#, Java, JavaScript, Perl, Python, and many others. These properties make JSON an ideal data-interchange language.
    

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/net.minidev/json-smart/2.3/7396407491352ce4fa30de92efb158adb76b5b/json-smart-2.3.jar
MD5: f2a921d4baaa7308de04eed4d8d72715
SHA1: 007396407491352ce4fa30de92efb158adb76b5b
SHA256:903f48c8aa4c3f6426440b8d32de89fa1dc23b1169abde25e4e1d068aa67708b
Referenced In Projects/Scopes:
  • babel:default
  • piglet:runtimeClasspath
  • spark:default
  • splunk:default
  • function:runtimeClasspath
  • kafka:default
  • redis:runtimeClasspath
  • server:runtimeClasspath
  • cassandra:runtimeClasspath
  • druid:default
  • spark:runtimeClasspath
  • core:default
  • babel:runtimeClasspath
  • elasticsearch:runtimeClasspath
  • innodb:default
  • piglet:default
  • pig:default
  • plus:runtimeClasspath
  • function:default
  • csv:default
  • core:implementationDependenciesMetadata
  • kafka:runtimeClasspath
  • splunk:runtimeClasspath
  • core:compileClasspath
  • file:runtimeClasspath
  • innodb:runtimeClasspath
  • calcite:sqllineClasspath
  • core:runtimeClasspath
  • geode:default
  • elasticsearch:default
  • druid:runtimeClasspath
  • mongodb:runtimeClasspath
  • file:default
  • server:default
  • pig:runtimeClasspath
  • mongodb:default
  • redis:default
  • geode:runtimeClasspath
  • csv:runtimeClasspath
  • plus:default
  • cassandra:default

Identifiers

json4s-ast_2.10-3.2.11.jar

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.json4s/json4s-ast_2.10/3.2.11/49ab60e86a2c3508d3d45a04dca6dfe173492fcf/json4s-ast_2.10-3.2.11.jar
MD5: ab23d8bffc4c38d138032dea39731f26
SHA1: 49ab60e86a2c3508d3d45a04dca6dfe173492fcf
SHA256:d445537674ce45a2f731bcf7bbb3b9ada04be1690d0d692e26e3090cf70359e4
Referenced In Projects/Scopes:

  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • spark:runtimeClasspath

Identifiers

json4s-core_2.10-3.2.11.jar

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.json4s/json4s-core_2.10/3.2.11/dabb704ffdb3ede596e8df39959d092e1bab8816/json4s-core_2.10-3.2.11.jar
MD5: 7ebc37c9ee52320be85941ad16824fb0
SHA1: dabb704ffdb3ede596e8df39959d092e1bab8816
SHA256:bd4dd33875bb7297736e261e345fa2892db37c89e0e79fa8c69a05fbe4e9eb5e
Referenced In Projects/Scopes:

  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • spark:runtimeClasspath

Identifiers

json4s-jackson_2.10-3.2.11.jar

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.json4s/json4s-jackson_2.10/3.2.11/c91b7c1c01d49ccccc1e715bb651440c8cd105f2/json4s-jackson_2.10-3.2.11.jar
MD5: 89fa356909c5ca4884de0fb2de07ce10
SHA1: c91b7c1c01d49ccccc1e715bb651440c8cd105f2
SHA256:22e20ac162302b6f2fcc84b6c3a7205d43c7b8b51bae568c3e5e223de7c5275a
Referenced In Projects/Scopes:

  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • spark:runtimeClasspath

Identifiers

jsoup-1.11.3.jar

Description:

jsoup is a Java library for working with real-world HTML. It provides a very convenient API for extracting and manipulating data, using the best of DOM, CSS, and jquery-like methods. jsoup implements the WHATWG HTML5 specification, and parses HTML to the same DOM as modern browsers do.

License:

The MIT License: https://jsoup.org/license
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.jsoup/jsoup/1.11.3/36da09a8f68484523fa2aaa100399d612b247d67/jsoup-1.11.3.jar
MD5: 4735085c4a37313b00887dd0a0f99813
SHA1: 36da09a8f68484523fa2aaa100399d612b247d67
SHA256:df2c71a4240ecbdae7cdcd1667bcf0d747e4e3dcefe8161e787adcff7e5f2fa0
Referenced In Projects/Scopes:
  • file:compileClasspath
  • file:runtimeClasspath
  • calcite:sqllineClasspath
  • csv:runtimeClasspath
  • file:default
  • csv:default

Identifiers

jsp-2.1-6.1.14.jar

Description:

JSP2.1 Jasper implementation from Glassfish

License:

CDDL 1.0: https://glassfish.dev.java.net/public/CDDLv1.0.html
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.mortbay.jetty/jsp-2.1/6.1.14/3a1df1e8e0fa56e9a940abbd19bc6f397fce16b5/jsp-2.1-6.1.14.jar
MD5: 07aaf43ccf8bdbb5f205de106cd6cf9d
SHA1: 3a1df1e8e0fa56e9a940abbd19bc6f397fce16b5
SHA256:d954dad8aa71f2699f3590333e8c9b8d8fc1ea2c59d76035193b8ff2af05d63f
Referenced In Projects/Scopes:
  • piglet:compileClasspath
  • piglet:runtimeClasspath
  • calcite:sqllineClasspath
  • pig:runtimeClasspath
  • piglet:default
  • pig:default
  • pig:compileClasspath

Identifiers

CVE-2009-1523  

Directory traversal vulnerability in the HTTP server in Mort Bay Jetty 5.1.14, 6.x before 6.1.17, and 7.x through 7.0.0.M2 allows remote attackers to access arbitrary files via directory traversal sequences in the URI.
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2009-1524  

Cross-site scripting (XSS) vulnerability in Mort Bay Jetty before 6.1.17 allows remote attackers to inject arbitrary web script or HTML via a directory listing request containing a ; (semicolon) character.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2009-4609  

The Dump Servlet in Mort Bay Jetty 6.x and 7.0.0 allows remote attackers to obtain sensitive information about internal variables and other data via a request to a URI ending in /dump/, as demonstrated by discovering the value of the getPathTranslated variable.
CWE-200 Information Exposure

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2009-4610  

Multiple cross-site scripting (XSS) vulnerabilities in Mort Bay Jetty 6.x and 7.0.0 allow remote attackers to inject arbitrary web script or HTML via (1) the query string to jsp/dump.jsp in the JSP Dump feature, or the (2) Name or (3) Value parameter to the default URI for the Session Dump Servlet under session/.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2009-4611  

Mort Bay Jetty 6.x through 6.1.22 and 7.0.0 writes backtrace data without sanitizing non-printable characters, which might allow remote attackers to modify a window's title, or possibly execute arbitrary commands or overwrite files, via an HTTP request containing an escape sequence for a terminal emulator, related to (1) a string value in the Age parameter to the default URI for the Cookie Dump Servlet in test-jetty-webapp/src/main/java/com/acme/CookieDump.java under cookie/, (2) an alphabetic value in the A parameter to jsp/expr.jsp, or (3) an alphabetic value in the Content-Length HTTP header to an arbitrary application.
CWE-20 Improper Input Validation

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P

References:

Vulnerable Software & Versions: (show all)

CVE-2009-4612  

Multiple cross-site scripting (XSS) vulnerabilities in the WebApp JSP Snoop page in Mort Bay Jetty 6.1.x through 6.1.21 allow remote attackers to inject arbitrary web script or HTML via the PATH_INFO to the default URI under (1) jspsnoop/, (2) jspsnoop/ERROR/, and (3) jspsnoop/IOException/, and possibly the PATH_INFO to (4) snoop.jsp.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2009-5048  

Cookie Dump Servlet stored XSS vulnerability in jetty though 6.1.20.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions:

CVE-2009-5049  

WebApp JSP Snoop page XSS in jetty though 6.1.21.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions:

CVE-2011-4461  

Jetty 8.1.0.RC2 and earlier computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters.
CWE-310 Cryptographic Issues

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

References:

Vulnerable Software & Versions: (show all)

jsp-api-2.1-6.1.14.jar

Description:

JSP2.1 API

License:

http://www.apache.org/licenses/LICENSE-2.0
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.mortbay.jetty/jsp-api-2.1/6.1.14/756b3fac155e31bd0e85545dbf953495e0455c73/jsp-api-2.1-6.1.14.jar
MD5: 65d8baf855d2ce15d5f3243ef3d232ef
SHA1: 756b3fac155e31bd0e85545dbf953495e0455c73
SHA256:dbe60706e1a2f3e3e3785b287d78b527b6f41aa637eccda4e3c384176c35a405
Referenced In Projects/Scopes:
  • piglet:compileClasspath
  • piglet:runtimeClasspath
  • calcite:sqllineClasspath
  • pig:runtimeClasspath
  • piglet:default
  • pig:default
  • pig:compileClasspath

Identifiers

CVE-2009-1523  

Directory traversal vulnerability in the HTTP server in Mort Bay Jetty 5.1.14, 6.x before 6.1.17, and 7.x through 7.0.0.M2 allows remote attackers to access arbitrary files via directory traversal sequences in the URI.
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2009-1524  

Cross-site scripting (XSS) vulnerability in Mort Bay Jetty before 6.1.17 allows remote attackers to inject arbitrary web script or HTML via a directory listing request containing a ; (semicolon) character.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2009-4609  

The Dump Servlet in Mort Bay Jetty 6.x and 7.0.0 allows remote attackers to obtain sensitive information about internal variables and other data via a request to a URI ending in /dump/, as demonstrated by discovering the value of the getPathTranslated variable.
CWE-200 Information Exposure

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2009-4610  

Multiple cross-site scripting (XSS) vulnerabilities in Mort Bay Jetty 6.x and 7.0.0 allow remote attackers to inject arbitrary web script or HTML via (1) the query string to jsp/dump.jsp in the JSP Dump feature, or the (2) Name or (3) Value parameter to the default URI for the Session Dump Servlet under session/.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2009-4611  

Mort Bay Jetty 6.x through 6.1.22 and 7.0.0 writes backtrace data without sanitizing non-printable characters, which might allow remote attackers to modify a window's title, or possibly execute arbitrary commands or overwrite files, via an HTTP request containing an escape sequence for a terminal emulator, related to (1) a string value in the Age parameter to the default URI for the Cookie Dump Servlet in test-jetty-webapp/src/main/java/com/acme/CookieDump.java under cookie/, (2) an alphabetic value in the A parameter to jsp/expr.jsp, or (3) an alphabetic value in the Content-Length HTTP header to an arbitrary application.
CWE-20 Improper Input Validation

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P

References:

Vulnerable Software & Versions: (show all)

CVE-2009-4612  

Multiple cross-site scripting (XSS) vulnerabilities in the WebApp JSP Snoop page in Mort Bay Jetty 6.1.x through 6.1.21 allow remote attackers to inject arbitrary web script or HTML via the PATH_INFO to the default URI under (1) jspsnoop/, (2) jspsnoop/ERROR/, and (3) jspsnoop/IOException/, and possibly the PATH_INFO to (4) snoop.jsp.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2009-5048  

Cookie Dump Servlet stored XSS vulnerability in jetty though 6.1.20.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions:

CVE-2009-5049  

WebApp JSP Snoop page XSS in jetty though 6.1.21.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions:

CVE-2011-4461  

Jetty 8.1.0.RC2 and earlier computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters.
CWE-310 Cryptographic Issues

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

References:

Vulnerable Software & Versions: (show all)

jsp-api-2.1.jar

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/javax.servlet.jsp/jsp-api/2.1/63f943103f250ef1f3a4d5e94d145a0f961f5316/jsp-api-2.1.jar
MD5: b8a34113a3a1ce29c8c60d7141f5a704
SHA1: 63f943103f250ef1f3a4d5e94d145a0f961f5316
SHA256:545f4e7dc678ffb4cf8bd0fd40b4a4470a409a787c0ea7d0ad2f08d56112987b
Referenced In Projects/Scopes:

  • piglet:runtimeClasspath
  • calcite:sqllineClasspath
  • spark:default
  • piglet:default
  • spark:runtimeClasspath

Identifiers

jsqlparser-3.1.jar

Description:

JSqlParser parses an SQL statement and translate it into a hierarchy of Java classes.
        The generated hierarchy can be navigated using the Visitor Pattern.

License:

GNU Library or Lesser General Public License (LGPL) V2.1: http://www.gnu.org/licenses/lgpl-2.1.html
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/com.github.jsqlparser/jsqlparser/3.1/b8f2f838923317fb2bbd18a5e7850bb91a88330e/jsqlparser-3.1.jar
MD5: 7a5a8dbca36efdde5e438454ed9875a8
SHA1: b8f2f838923317fb2bbd18a5e7850bb91a88330e
SHA256:fd0a337376be3bf35194670c219eeb01e92faa15d78e3bc90ef3721bccdcf894
Referenced In Projects/Scopes:
  • innodb:compileClasspath
  • innodb:runtimeClasspath
  • calcite:sqllineClasspath
  • innodb:default

Identifiers

jsr305-3.0.2.jar

Description:

JSR305 Annotations for Findbugs

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/com.google.code.findbugs/jsr305/3.0.2/25ea2e8b0c338a877313bd4672d3fe056ea78f0d/jsr305-3.0.2.jar
MD5: dd83accb899363c32b07d7a1b2e4ce40
SHA1: 25ea2e8b0c338a877313bd4672d3fe056ea78f0d
SHA256:766ad2a0783f2687962c8ad74ceecc38a28b9f72a2d085ee438b7813e928d0c7
Referenced In Projects/Scopes:
  • cassandra:compileClasspath
  • piglet:compileClasspath
  • splunk:checkstyle
  • calcite:checkstyle
  • piglet:runtimeClasspath
  • spark:default
  • splunk:default
  • kafka:default
  • spark:compileClasspath
  • function:checkstyle
  • server:runtimeClasspath
  • cassandra:runtimeClasspath
  • druid:default
  • spark:runtimeClasspath
  • linq4j:runtimeClasspath
  • linq4j:default
  • druid:checkstyle
  • druid:compileClasspath
  • plus:compileClasspath
  • csv:checkstyle
  • linq4j:compileClasspath
  • pig:default
  • plus:runtimeClasspath
  • splunk:compileClasspath
  • core:checkstyle
  • function:default
  • file:compileClasspath
  • core:implementationDependenciesMetadata
  • file:checkstyle
  • kafka:runtimeClasspath
  • splunk:runtimeClasspath
  • file:runtimeClasspath
  • innodb:runtimeClasspath
  • elasticsearch:default
  • geode:checkstyle
  • kafka:compileClasspath
  • druid:runtimeClasspath
  • mongodb:checkstyle
  • elasticsearch:checkstyle
  • linq4j:checkstyle
  • redis:checkstyle
  • babel:checkstyle
  • mongodb:default
  • cassandra:default
  • innodb:checkstyle
  • cassandra:checkstyle
  • piglet:checkstyle
  • bom:checkstyle
  • babel:default
  • function:runtimeClasspath
  • redis:compileClasspath
  • redis:runtimeClasspath
  • spark:checkstyle
  • plus:checkstyle
  • core:default
  • function:compileClasspath
  • pig:checkstyle
  • elasticsearch:compileClasspath
  • babel:runtimeClasspath
  • elasticsearch:runtimeClasspath
  • innodb:default
  • piglet:default
  • babel:compileClasspath
  • server:checkstyle
  • csv:default
  • innodb:compileClasspath
  • core:compileClasspath
  • calcite:sqllineClasspath
  • core:runtimeClasspath
  • geode:default
  • geode:compileClasspath
  • mongodb:runtimeClasspath
  • release:checkstyle
  • file:default
  • server:default
  • kafka:checkstyle
  • ubenchmark:checkstyle
  • ubenchmark:jmhCompileClasspath
  • example:checkstyle
  • pig:runtimeClasspath
  • mongodb:compileClasspath
  • server:compileClasspath
  • redis:default
  • geode:runtimeClasspath
  • csv:compileClasspath
  • csv:runtimeClasspath
  • plus:default
  • pig:compileClasspath

Identifiers

jul-to-slf4j-1.7.16.jar

Description:

JUL to SLF4J bridge

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.slf4j/jul-to-slf4j/1.7.16/2d5b546c5557dcbf08c3a381d7dc9bd275a602c1/jul-to-slf4j-1.7.16.jar
MD5: 228ccd417ce9b7b6dcd78e8fee1a8ca0
SHA1: 2d5b546c5557dcbf08c3a381d7dc9bd275a602c1
SHA256:a67d98d27bfcbc120e0efbf47cf07fab85cb32b6b274d43257a29fa14bb659d0
Referenced In Projects/Scopes:

  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • spark:runtimeClasspath

Identifiers

junit-4.12.jar

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/junit/junit/4.12/2973d150c0dc1fefe998f834810d68f278ea58ec/junit-4.12.jar
MD5: 5b38c40c97fbd0adee29f91e60405584
SHA1: 2973d150c0dc1fefe998f834810d68f278ea58ec
SHA256:59721f0805e223d84b90677887d9ff567dc534d7c502ca903c0c2b17f05c116a
Referenced In Projects/Scopes:

  • piglet:compileClasspath
  • piglet:runtimeClasspath
  • calcite:sqllineClasspath
  • pig:runtimeClasspath
  • piglet:default
  • pig:default
  • pig:compileClasspath

Identifiers

CVE-2020-15250  

In JUnit4 from version 4.7 and before 4.13.1, the test rule TemporaryFolder contains a local information disclosure vulnerability. On Unix like systems, the system's temporary directory is shared between all users on that system. Because of this, when files and directories are written into this directory they are, by default, readable by other users on that same system. This vulnerability does not allow other users to overwrite the contents of these directories or files. This is purely an information disclosure vulnerability. This vulnerability impacts you if the JUnit tests write sensitive information, like API keys or passwords, into the temporary folder, and the JUnit tests execute in an environment where the OS has other untrusted users. Because certain JDK file system APIs were only added in JDK 1.7, this this fix is dependent upon the version of the JDK you are using. For Java 1.7 and higher users: this vulnerability is fixed in 4.13.1. For Java 1.6 and lower users: no patch is available, you must use the workaround below. If you are unable to patch, or are stuck running on Java 1.6, specifying the `java.io.tmpdir` system environment variable to a directory that is exclusively owned by the executing user will fix this vulnerability. For more information, including an example of vulnerable code, see the referenced GitHub Security Advisory.
CWE-200 Information Exposure

CVSSv2:
  • Base Score: LOW (1.9)
  • Vector: /AV:L/AC:M/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.5)
  • Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions:

kafka-clients-2.1.1.jar

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.kafka/kafka-clients/2.1.1/a7b72831768ccfd69128385130409ae1a0e52f5f/kafka-clients-2.1.1.jar
MD5: d61a86d65d977b8f7d7b73b9659f579b
SHA1: a7b72831768ccfd69128385130409ae1a0e52f5f
SHA256:d5c1ed6e23e815fe43c0f050ef0651110b9e9b59cfc4d86e50bf7cc084132a93
Referenced In Projects/Scopes:

  • kafka:runtimeClasspath
  • calcite:sqllineClasspath
  • kafka:compileClasspath
  • kafka:default

Identifiers

CVE-2019-12399  

When Connect workers in Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, or 2.3.0 are configured with one or more config providers, and a connector is created/updated on that Connect cluster to use an externalized secret variable in a substring of a connector configuration property value, then any client can issue a request to the same Connect cluster to obtain the connector's task configuration and the response will contain the plaintext secret rather than the externalized secrets variables.
CWE-319 Cleartext Transmission of Sensitive Information

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

kfs-0.3.jar

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/net.sf.kosmosfs/kfs/0.3/20fcbc065182bdcd706c90a2eb383ae70eb5b223/kfs-0.3.jar
MD5: 791eb58893dc1335c8968b93d2f70fe6
SHA1: 20fcbc065182bdcd706c90a2eb383ae70eb5b223
SHA256:1807cbffb6c8876cf440b8f7d748fff49cea40ddd2d042bbb62bae3c87ba8842
Referenced In Projects/Scopes:

  • piglet:compileClasspath
  • piglet:runtimeClasspath
  • calcite:sqllineClasspath
  • pig:runtimeClasspath
  • piglet:default
  • pig:default
  • pig:compileClasspath

Identifiers

kotlin-compiler-embeddable-1.3.50.jar

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.jetbrains.kotlin/kotlin-compiler-embeddable/1.3.50/1251c1768e5769b06c2487d6f6cf8acf6efb8960/kotlin-compiler-embeddable-1.3.50.jar
MD5: 92532617314cbc6aaedab9624912cce3
SHA1: 1251c1768e5769b06c2487d6f6cf8acf6efb8960
SHA256:00684f6e1f08c639d4476170fc0d1a2ab04414c8383513e241adc76afeead1fa
Referenced In Project/Scope:core:kotlinCompilerClasspath

Identifiers

CVE-2020-29582  

In JetBrains Kotlin before 1.4.21, a vulnerable Java API was used for temporary file and folder creation. An attacker was able to read data from such files and list directories due to insecure permissions.
CWE-276 Incorrect Default Permissions

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions:

kotlin-compiler-embeddable-1.3.50.jar: jansi.dll

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.jetbrains.kotlin/kotlin-compiler-embeddable/1.3.50/1251c1768e5769b06c2487d6f6cf8acf6efb8960/kotlin-compiler-embeddable-1.3.50.jar/META-INF/native/windows32/jansi.dll
MD5: 11656f6f0800535dc79259a4299f9b36
SHA1: 53877c745604e1489fbd7671646f3b1d4e7e2316
SHA256:57e149395d70908f47206be96e03414631ab0036b8f1edb2ec29510e54512157
Referenced In Project/Scope:core:kotlinCompilerClasspath

Identifiers

  • None

kotlin-compiler-embeddable-1.3.50.jar: jansi.dll

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.jetbrains.kotlin/kotlin-compiler-embeddable/1.3.50/1251c1768e5769b06c2487d6f6cf8acf6efb8960/kotlin-compiler-embeddable-1.3.50.jar/META-INF/native/windows64/jansi.dll
MD5: d5beb4ff523696be6d23c34a0a78fbe6
SHA1: 558aea23a4ea0f6e6824b8cd4d2b0ecb9a154f37
SHA256:3d74c12f1984b220e46456398a3890750e6aa1cc2b4102f9f8a0c0c21338d72c
Referenced In Project/Scope:core:kotlinCompilerClasspath

Identifiers

  • None

kotlin-daemon-embeddable-1.3.50.jar

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.jetbrains.kotlin/kotlin-daemon-embeddable/1.3.50/5cb93bb33f4c6f833ead0beca4c831668e00cf52/kotlin-daemon-embeddable-1.3.50.jar
MD5: 021a81e41dee359c0c39bc2d2e857a9e
SHA1: 5cb93bb33f4c6f833ead0beca4c831668e00cf52
SHA256:c7b1b872e04a6fdfcfb1d0451de8a49f9900608bae93f9120c35bbcde2d911fa
Referenced In Project/Scope:core:kotlinCompilerClasspath

Identifiers

CVE-2020-29582  

In JetBrains Kotlin before 1.4.21, a vulnerable Java API was used for temporary file and folder creation. An attacker was able to read data from such files and list directories due to insecure permissions.
CWE-276 Incorrect Default Permissions

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions:

kotlin-reflect-1.3.50.jar

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.jetbrains.kotlin/kotlin-reflect/1.3.50/b499f22fd7c3e9c2e5b6c4005221fa47fc7f9a7a/kotlin-reflect-1.3.50.jar
MD5: ab10cf971cb586b95fd5c88eef8668a1
SHA1: b499f22fd7c3e9c2e5b6c4005221fa47fc7f9a7a
SHA256:64583199ea5a54aefd1bd1595288925f784226ee562d1dd279011c6075b3d7a4
Referenced In Projects/Scopes:

  • core:kotlinCompilerClasspath
  • core:kotlinCompilerPluginClasspath

Identifiers

CVE-2020-29582  

In JetBrains Kotlin before 1.4.21, a vulnerable Java API was used for temporary file and folder creation. An attacker was able to read data from such files and list directories due to insecure permissions.
CWE-276 Incorrect Default Permissions

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions:

kotlin-script-runtime-1.3.50.jar

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.jetbrains.kotlin/kotlin-script-runtime/1.3.50/59492b8dfb92522ba0ddb5dd1c4d0ef0a4fca1af/kotlin-script-runtime-1.3.50.jar
MD5: eb1e5b6c3193db19024efae302d12d62
SHA1: 59492b8dfb92522ba0ddb5dd1c4d0ef0a4fca1af
SHA256:7ff70c52bf062afbe0a0e78962a9b92b89b0cf4a47a481d24037257e56fb7e4c
Referenced In Projects/Scopes:

  • core:kotlinCompilerClasspath
  • core:kotlinCompilerPluginClasspath

Identifiers

CVE-2020-29582  

In JetBrains Kotlin before 1.4.21, a vulnerable Java API was used for temporary file and folder creation. An attacker was able to read data from such files and list directories due to insecure permissions.
CWE-276 Incorrect Default Permissions

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions:

kotlin-scripting-common-1.3.50.jar

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.jetbrains.kotlin/kotlin-scripting-common/1.3.50/b8e0110c386c08f46a8c5e45b8c64aece1914867/kotlin-scripting-common-1.3.50.jar
MD5: c6920f2a3588acabb2bd2c59ed7fa01b
SHA1: b8e0110c386c08f46a8c5e45b8c64aece1914867
SHA256:dd16d71ee2f2f0f3e53cb7f32b30cc9fa1d457ad7d5f428d15a9638c1cc983fc
Referenced In Project/Scope:core:kotlinCompilerPluginClasspath

Identifiers

CVE-2020-29582  

In JetBrains Kotlin before 1.4.21, a vulnerable Java API was used for temporary file and folder creation. An attacker was able to read data from such files and list directories due to insecure permissions.
CWE-276 Incorrect Default Permissions

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions:

kotlin-scripting-compiler-embeddable-1.3.50.jar

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.jetbrains.kotlin/kotlin-scripting-compiler-embeddable/1.3.50/8cf679fe2d8cd6fa57e9ca4ca46222d5477f077c/kotlin-scripting-compiler-embeddable-1.3.50.jar
MD5: 7489de341bef9c44ae38d16b5f2eed8c
SHA1: 8cf679fe2d8cd6fa57e9ca4ca46222d5477f077c
SHA256:baa76bdc840a1b7ffc88c5d6e327b75a37118a44e60deae56d71d408fd1c8ac5
Referenced In Project/Scope:core:kotlinCompilerPluginClasspath

Identifiers

CVE-2020-29582  

In JetBrains Kotlin before 1.4.21, a vulnerable Java API was used for temporary file and folder creation. An attacker was able to read data from such files and list directories due to insecure permissions.
CWE-276 Incorrect Default Permissions

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions:

kotlin-scripting-compiler-impl-embeddable-1.3.50.jar

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.jetbrains.kotlin/kotlin-scripting-compiler-impl-embeddable/1.3.50/cc87aae13b61cdcf296ac9416b464e44f27b6dc4/kotlin-scripting-compiler-impl-embeddable-1.3.50.jar
MD5: 2140667346491cf9f1e827f2362eab16
SHA1: cc87aae13b61cdcf296ac9416b464e44f27b6dc4
SHA256:4ab8accc2bff60ae6d767f7e96036f0f8807e21bf758362e023e3ea57c4e490f
Referenced In Project/Scope:core:kotlinCompilerPluginClasspath

Identifiers

CVE-2020-29582  

In JetBrains Kotlin before 1.4.21, a vulnerable Java API was used for temporary file and folder creation. An attacker was able to read data from such files and list directories due to insecure permissions.
CWE-276 Incorrect Default Permissions

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions:

kotlin-scripting-jvm-1.3.50.jar

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.jetbrains.kotlin/kotlin-scripting-jvm/1.3.50/53f579e1bee3dab3df915d923ad1bb43bc37cd18/kotlin-scripting-jvm-1.3.50.jar
MD5: 3a5ae5237add447bb605480b6c634dd1
SHA1: 53f579e1bee3dab3df915d923ad1bb43bc37cd18
SHA256:fa6fa1b78ae0d3e6f950143567cc207e03b64ce6cba842c5149a5226a784c0c2
Referenced In Project/Scope:core:kotlinCompilerPluginClasspath

Identifiers

CVE-2020-29582  

In JetBrains Kotlin before 1.4.21, a vulnerable Java API was used for temporary file and folder creation. An attacker was able to read data from such files and list directories due to insecure permissions.
CWE-276 Incorrect Default Permissions

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions:

kotlin-stdlib-1.3.50.jar

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.jetbrains.kotlin/kotlin-stdlib/1.3.50/b529d1738c7e98bbfa36a4134039528f2ce78ebf/kotlin-stdlib-1.3.50.jar
MD5: 99ff15c1ebad291873bb7d93a27ff0f2
SHA1: b529d1738c7e98bbfa36a4134039528f2ce78ebf
SHA256:e6f05746ee0366d0b52825a090fac474dcf44082c9083bbb205bd16976488d6c
Referenced In Projects/Scopes:

  • core:kotlinCompilerClasspath
  • core:kotlinCompilerPluginClasspath

Identifiers

CVE-2020-29582  

In JetBrains Kotlin before 1.4.21, a vulnerable Java API was used for temporary file and folder creation. An attacker was able to read data from such files and list directories due to insecure permissions.
CWE-276 Incorrect Default Permissions

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions:

kotlin-stdlib-common-1.3.50.jar

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.jetbrains.kotlin/kotlin-stdlib-common/1.3.50/3d9cd3e1bc7b92e95f43d45be3bfbcf38e36ab87/kotlin-stdlib-common-1.3.50.jar
MD5: 42dbb03a04cbcf11a64cc84ce6343324
SHA1: 3d9cd3e1bc7b92e95f43d45be3bfbcf38e36ab87
SHA256:8ce678e88e4ba018b66dacecf952471e4d7dfee156a8a819760a5a5ff29d323c
Referenced In Projects/Scopes:

  • core:kotlinCompilerClasspath
  • core:kotlinCompilerPluginClasspath

Identifiers

CVE-2020-29582  

In JetBrains Kotlin before 1.4.21, a vulnerable Java API was used for temporary file and folder creation. An attacker was able to read data from such files and list directories due to insecure permissions.
CWE-276 Incorrect Default Permissions

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions:

kotlinx-coroutines-core-1.1.1.jar

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.jetbrains.kotlinx/kotlinx-coroutines-core/1.1.1/3d2b7321cdef9ebf9cb7729ea4f75a6f6457df86/kotlinx-coroutines-core-1.1.1.jar
MD5: 461aa5da3569a08d9e3e9423191d86b8
SHA1: 3d2b7321cdef9ebf9cb7729ea4f75a6f6457df86
SHA256:ac423f8a0aa4b4e74529696ff82c0171f81a8c8ab182a1965dff25e69c1f7844
Referenced In Project/Scope:core:kotlinCompilerPluginClasspath

Identifiers

kryo-shaded-3.0.3.jar

Description:

Fast, efficient Java serialization. This is the parent pom that assembles the main kryo and shaded kryo artifacts.

License:

New BSD License: http://www.opensource.org/licenses/bsd-license.php
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/com.esotericsoftware/kryo-shaded/3.0.3/977d6b42d82de551fcf77dad84ef06c2839e3a74/kryo-shaded-3.0.3.jar
MD5: d31aced491436960a12bded1d8e65658
SHA1: 977d6b42d82de551fcf77dad84ef06c2839e3a74
SHA256:71727556d387eada4578305fd337b3e046ecf8535f99ed66169ab2a3034418e0
Referenced In Projects/Scopes:
  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • spark:runtimeClasspath

Identifiers

kryo-shaded-3.0.3.jar (shaded: com.esotericsoftware:reflectasm:1.10.1)

Description:

High performance Java reflection using code generation

License:

New BSD License: http://www.opensource.org/licenses/bsd-license.php
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/com.esotericsoftware/kryo-shaded/3.0.3/977d6b42d82de551fcf77dad84ef06c2839e3a74/kryo-shaded-3.0.3.jar/META-INF/maven/com.esotericsoftware/reflectasm/pom.xml
MD5: 465f30eeba109df60a69edbe3ef27ed6
SHA1: f14467654c23c365515cf98bae0b0f56d070fa09
SHA256:c090b6506aefb072f25a85886e0e84786fcc98e982ccb5f5cddcd2e8db666be3
Referenced In Projects/Scopes:
  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • spark:runtimeClasspath

Identifiers

leveldbjni-all-1.8.jar

Description:

An uber jar which contains all the leveldbjni platform libraries and dependencies

License:

http://www.opensource.org/licenses/BSD-3-Clause
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.fusesource.leveldbjni/leveldbjni-all/1.8/707350a2eeb1fa2ed77a32ddb3893ed308e941db/leveldbjni-all-1.8.jar
MD5: 6944e9bc03c7938868e53c96726ae914
SHA1: 707350a2eeb1fa2ed77a32ddb3893ed308e941db
SHA256:c297213b0e6f9392305952753f3099a4c02e70b3656266fe01867e7b6c160ffe
Referenced In Projects/Scopes:
  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • spark:runtimeClasspath

Identifiers

leveldbjni-all-1.8.jar: leveldbjni.dll

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.fusesource.leveldbjni/leveldbjni-all/1.8/707350a2eeb1fa2ed77a32ddb3893ed308e941db/leveldbjni-all-1.8.jar/META-INF/native/windows32/leveldbjni.dll
MD5: 551b9310a9ed358359296a89715df2f4
SHA1: bba450e93688b872b3fcaa31e8457950e97d8429
SHA256:3cf3f6284f99acad369a15f0b4eca8e0dec2b0342651c519e4665570da8a68ee
Referenced In Projects/Scopes:

  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • spark:runtimeClasspath

Identifiers

  • None

leveldbjni-all-1.8.jar: leveldbjni.dll

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.fusesource.leveldbjni/leveldbjni-all/1.8/707350a2eeb1fa2ed77a32ddb3893ed308e941db/leveldbjni-all-1.8.jar/META-INF/native/windows64/leveldbjni.dll
MD5: 4b6fa20009ca1eb556e752671461a3f2
SHA1: 978ca9c96c03eb220556ce5bc96c715f95a0967c
SHA256:7794f7bbc848d1a9ad98996f2c68a1cf12ac17562f646c6d7f5733404a7b5ef1
Referenced In Projects/Scopes:

  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • spark:runtimeClasspath

Identifiers

  • None

listenablefuture-9999.0-empty-to-avoid-conflict-with-guava.jar

Description:

    An empty artifact that Guava depends on to signal that it is providing
    ListenableFuture -- but is also available in a second "version" that
    contains com.google.common.util.concurrent.ListenableFuture class, without
    any other Guava classes. The idea is:

    - If users want only ListenableFuture, they depend on listenablefuture-1.0.

    - If users want all of Guava, they depend on guava, which, as of Guava
    27.0, depends on
    listenablefuture-9999.0-empty-to-avoid-conflict-with-guava. The 9999.0-...
    version number is enough for some build systems (notably, Gradle) to select
    that empty artifact over the "real" listenablefuture-1.0 -- avoiding a
    conflict with the copy of ListenableFuture in guava itself. If users are
    using an older version of Guava or a build system other than Gradle, they
    may see class conflicts. If so, they can solve them by manually excluding
    the listenablefuture artifact or manually forcing their build systems to
    use 9999.0-....
  

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/com.google.guava/listenablefuture/9999.0-empty-to-avoid-conflict-with-guava/b421526c5f297295adef1c886e5246c39d4ac629/listenablefuture-9999.0-empty-to-avoid-conflict-with-guava.jar
MD5: d094c22570d65e132c19cea5d352e381
SHA1: b421526c5f297295adef1c886e5246c39d4ac629
SHA256:b372a037d4230aa57fbeffdef30fd6123f9c0c2db85d0aced00c91b974f33f99
Referenced In Projects/Scopes:

  • cassandra:compileClasspath
  • piglet:compileClasspath
  • splunk:checkstyle
  • calcite:checkstyle
  • piglet:runtimeClasspath
  • spark:default
  • splunk:default
  • kafka:default
  • spark:compileClasspath
  • function:checkstyle
  • server:runtimeClasspath
  • cassandra:runtimeClasspath
  • druid:default
  • spark:runtimeClasspath
  • linq4j:runtimeClasspath
  • linq4j:default
  • druid:checkstyle
  • druid:compileClasspath
  • plus:compileClasspath
  • csv:checkstyle
  • linq4j:compileClasspath
  • pig:default
  • plus:runtimeClasspath
  • splunk:compileClasspath
  • core:checkstyle
  • function:default
  • file:compileClasspath
  • core:implementationDependenciesMetadata
  • file:checkstyle
  • kafka:runtimeClasspath
  • splunk:runtimeClasspath
  • file:runtimeClasspath
  • innodb:runtimeClasspath
  • elasticsearch:default
  • geode:checkstyle
  • kafka:compileClasspath
  • druid:runtimeClasspath
  • mongodb:checkstyle
  • elasticsearch:checkstyle
  • linq4j:checkstyle
  • redis:checkstyle
  • babel:checkstyle
  • mongodb:default
  • cassandra:default
  • innodb:checkstyle
  • cassandra:checkstyle
  • piglet:checkstyle
  • bom:checkstyle
  • babel:default
  • function:runtimeClasspath
  • redis:compileClasspath
  • redis:runtimeClasspath
  • spark:checkstyle
  • plus:checkstyle
  • core:default
  • function:compileClasspath
  • pig:checkstyle
  • elasticsearch:compileClasspath
  • babel:runtimeClasspath
  • elasticsearch:runtimeClasspath
  • innodb:default
  • piglet:default
  • babel:compileClasspath
  • server:checkstyle
  • csv:default
  • innodb:compileClasspath
  • core:compileClasspath
  • calcite:sqllineClasspath
  • core:runtimeClasspath
  • geode:default
  • geode:compileClasspath
  • mongodb:runtimeClasspath
  • release:checkstyle
  • file:default
  • server:default
  • kafka:checkstyle
  • ubenchmark:checkstyle
  • ubenchmark:jmhCompileClasspath
  • example:checkstyle
  • pig:runtimeClasspath
  • mongodb:compileClasspath
  • server:compileClasspath
  • redis:default
  • geode:runtimeClasspath
  • csv:compileClasspath
  • csv:runtimeClasspath
  • plus:default
  • pig:compileClasspath

Identifiers

log4j-1.2.17.jar

Description:

Apache Log4j 1.2

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/log4j/log4j/1.2.17/5af35056b4d257e4b64b9e8069c0746e8b08629f/log4j-1.2.17.jar
MD5: 04a41f0a068986f0f73485cf507c0f40
SHA1: 5af35056b4d257e4b64b9e8069c0746e8b08629f
SHA256:1d31696445697720527091754369082a6651bd49781b6005deb94e56753406f9
Referenced In Projects/Scopes:
  • piglet:compileClasspath
  • babel:default
  • piglet:runtimeClasspath
  • spark:default
  • splunk:default
  • function:runtimeClasspath
  • kafka:default
  • spark:compileClasspath
  • redis:runtimeClasspath
  • server:runtimeClasspath
  • cassandra:runtimeClasspath
  • druid:default
  • spark:runtimeClasspath
  • core:default
  • babel:runtimeClasspath
  • elasticsearch:runtimeClasspath
  • innodb:default
  • piglet:default
  • pig:default
  • plus:runtimeClasspath
  • function:default
  • csv:default
  • innodb:compileClasspath
  • core:implementationDependenciesMetadata
  • kafka:runtimeClasspath
  • splunk:runtimeClasspath
  • core:compileClasspath
  • file:runtimeClasspath
  • innodb:runtimeClasspath
  • calcite:sqllineClasspath
  • core:runtimeClasspath
  • geode:default
  • elasticsearch:default
  • druid:runtimeClasspath
  • mongodb:runtimeClasspath
  • file:default
  • server:default
  • pig:runtimeClasspath
  • mongodb:default
  • redis:default
  • geode:runtimeClasspath
  • csv:runtimeClasspath
  • plus:default
  • cassandra:default

Identifiers

CVE-2019-17571  

Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.
CWE-502 Deserialization of Untrusted Data

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2020-9488  

Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender.
CWE-295 Improper Certificate Validation

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: LOW (3.7)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

log4j-api-2.13.3.jar

Description:

The Apache Log4j API

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.logging.log4j/log4j-api/2.13.3/ec1508160b93d274b1add34419b897bae84c6ca9/log4j-api-2.13.3.jar
MD5: 236b9969df6b394e88283a9f813b9b95
SHA1: ec1508160b93d274b1add34419b897bae84c6ca9
SHA256:2b4b1965c9dce7f3732a0fbf5c8493199c1e6bf8cf65c3e235b57d98da5f36af
Referenced In Projects/Scopes:
  • calcite:sqllineClasspath
  • geode:default
  • geode:runtimeClasspath

Identifiers

lombok-1.18.10.jar

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.projectlombok/lombok/1.18.10/625fc0055674dff70dbc76efa36d0f2c89b04a24/lombok-1.18.10.jar
MD5: a549b7cd139ccef0fe19d8e7cb5953cd
SHA1: 625fc0055674dff70dbc76efa36d0f2c89b04a24
SHA256:2836e954823bfcbad45e78c18896e3d01058e6f643749810c608b7005ee7b2fa
Referenced In Projects/Scopes:

  • innodb:compileClasspath
  • innodb:runtimeClasspath
  • calcite:sqllineClasspath
  • innodb:default

Identifiers

lz4-1.3.0.jar

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/net.jpountz.lz4/lz4/1.3.0/c708bb2590c0652a642236ef45d9f99ff842a2ce/lz4-1.3.0.jar
MD5: 13deb68e0fb236a9f9e07dccaa4dfabd
SHA1: c708bb2590c0652a642236ef45d9f99ff842a2ce
SHA256:b877a4d4a3a0140486d3d0f83d9058e7c0ff6ca80b00d2f7b77145935b385b56
Referenced In Projects/Scopes:

  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • spark:runtimeClasspath

Identifiers

lz4-java-1.5.0.jar

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.lz4/lz4-java/1.5.0/d36fb639f06aaa4f17307625f80e2e32f815672a/lz4-java-1.5.0.jar
MD5: d4b3c2a4224642a562296d919fba747a
SHA1: d36fb639f06aaa4f17307625f80e2e32f815672a
SHA256:88a92c42e32f921a7cb37cd3ad30817c1e07c95fc7d52b53cd9e212bfe3b358f
Referenced In Projects/Scopes:

  • kafka:runtimeClasspath
  • calcite:sqllineClasspath
  • kafka:compileClasspath
  • kafka:default

Identifiers

mail-1.4.7.jar

Description:

JavaMail API (compat)

License:

http://www.sun.com/cddl, https://glassfish.java.net/public/CDDL+GPL_1_1.html
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/javax.mail/mail/1.4.7/9add058589d5d85adeb625859bf2c5eeaaedf12d/mail-1.4.7.jar
MD5: 77f53ff0c78ba43c4812ecc9f53e20f8
SHA1: 9add058589d5d85adeb625859bf2c5eeaaedf12d
SHA256:78c33b4f7c7b60f4b680f2d2405b1f063d71929cf1a4fbc328888379f365fcfb
Referenced In Projects/Scopes:
  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • spark:runtimeClasspath

Identifiers

memory-0.9.0.jar

Description:

Memory contains interfaces and classes to allocate and access off-heap memory

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/com.yahoo.datasketches/memory/0.9.0/10a7f4c09076d5c5d5d7a3f0546b71764ec5704/memory-0.9.0.jar
MD5: 57e843b3603c435fd3ea482388da5bcf
SHA1: 010a7f4c09076d5c5d5d7a3f0546b71764ec5704
SHA256:c7d22ca0298753de7a5c85edc9b926892936e978595fe44375159b8ada15fdfc
Referenced In Projects/Scopes:

  • babel:default
  • piglet:runtimeClasspath
  • spark:default
  • splunk:default
  • function:runtimeClasspath
  • kafka:default
  • redis:runtimeClasspath
  • server:runtimeClasspath
  • cassandra:runtimeClasspath
  • druid:default
  • spark:runtimeClasspath
  • core:default
  • babel:runtimeClasspath
  • elasticsearch:runtimeClasspath
  • innodb:default
  • piglet:default
  • pig:default
  • plus:runtimeClasspath
  • function:default
  • csv:default
  • core:implementationDependenciesMetadata
  • kafka:runtimeClasspath
  • splunk:runtimeClasspath
  • core:compileClasspath
  • file:runtimeClasspath
  • innodb:runtimeClasspath
  • calcite:sqllineClasspath
  • core:runtimeClasspath
  • geode:default
  • elasticsearch:default
  • druid:runtimeClasspath
  • mongodb:runtimeClasspath
  • file:default
  • server:default
  • pig:runtimeClasspath
  • mongodb:default
  • redis:default
  • geode:runtimeClasspath
  • csv:runtimeClasspath
  • plus:default
  • cassandra:default

Identifiers

metrics-core-3.1.2.jar

Description:

        Metrics is a Java library which gives you unparalleled insight into what your code does in
        production. Metrics provides a powerful toolkit of ways to measure the behavior of critical
        components in your production environment.
    

License:

http://www.apache.org/licenses/LICENSE-2.0.html
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/io.dropwizard.metrics/metrics-core/3.1.2/224f03afd2521c6c94632f566beb1bb5ee32cf07/metrics-core-3.1.2.jar
MD5: b8b2de75247322a0c037420f5708e592
SHA1: 224f03afd2521c6c94632f566beb1bb5ee32cf07
SHA256:245ba2a66a9bc710ce4db14711126e77bcb4e6d96ef7e622659280f3c90cbb5c
Referenced In Projects/Scopes:
  • spark:default
  • spark:compileClasspath
  • spark:runtimeClasspath

Identifiers

metrics-core-3.2.2.jar

Description:

        Metrics is a Java library which gives you unparalleled insight into what your code does in
        production. Metrics provides a powerful toolkit of ways to measure the behavior of critical
        components in your production environment.
    

License:

http://www.apache.org/licenses/LICENSE-2.0.html
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/io.dropwizard.metrics/metrics-core/3.2.2/cd9886f498ee2ab2d994f0c779e5553b2c450416/metrics-core-3.2.2.jar
MD5: da529999d5083e800829eaab432a8a54
SHA1: cd9886f498ee2ab2d994f0c779e5553b2c450416
SHA256:5c6f685e41664d10c70c65837cba9e58d39ff3896811e3b5707a934b11c85ad0
Referenced In Projects/Scopes:
  • cassandra:compileClasspath
  • calcite:sqllineClasspath
  • cassandra:runtimeClasspath
  • cassandra:default

Identifiers

metrics-graphite-3.1.2.jar

Description:

        A reporter for Metrics which announces measurements to a Graphite server.
    

License:

http://www.apache.org/licenses/LICENSE-2.0.html
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/io.dropwizard.metrics/metrics-graphite/3.1.2/15a68399652c6123fe6e4c82ac4f0749e2eb6583/metrics-graphite-3.1.2.jar
MD5: 90905e4fae6cff5cdf6faa8c8e218cc5
SHA1: 15a68399652c6123fe6e4c82ac4f0749e2eb6583
SHA256:b08f4fd5907c7fa5b4dacc047ce4c7bc9a2a18c3860e2b8e8b84a0149ef326e1
Referenced In Projects/Scopes:
  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • spark:runtimeClasspath

Identifiers

metrics-json-3.1.2.jar

Description:

        A set of Jackson modules which provide serializers for most Metrics classes.
    

License:

http://www.apache.org/licenses/LICENSE-2.0.html
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/io.dropwizard.metrics/metrics-json/3.1.2/88d9e57e1ef6431109d4030c717cf5f927900fd9/metrics-json-3.1.2.jar
MD5: 50f9bb226e088a95dd7eaa848bd3c656
SHA1: 88d9e57e1ef6431109d4030c717cf5f927900fd9
SHA256:fcedfa0040e4412ac4395049a52c5ebe4ca7d6a55e99207f3f508ec22108cb9d
Referenced In Projects/Scopes:
  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • spark:runtimeClasspath

Identifiers

metrics-jvm-3.1.2.jar

Description:

        A set of classes which allow you to monitor critical aspects of your Java Virtual Machine
        using Metrics.
    

License:

http://www.apache.org/licenses/LICENSE-2.0.html
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/io.dropwizard.metrics/metrics-jvm/3.1.2/ed364e77218e50fdcdebce4d982cb4d1f4a8c187/metrics-jvm-3.1.2.jar
MD5: 0d18317a48fc7d4c33cfb31b9d537eab
SHA1: ed364e77218e50fdcdebce4d982cb4d1f4a8c187
SHA256:0350dd123d20a1090858a44ef2809cccfb6d49fcf31bc636a1b4aa5cf3e7a50d
Referenced In Projects/Scopes:
  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • spark:runtimeClasspath

Identifiers

micrometer-core-1.2.0.jar

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/io.micrometer/micrometer-core/1.2.0/e085f337633b807020596b37dc9c9ccd3ee1a1f/micrometer-core-1.2.0.jar
MD5: 2d61ce6aa26bfe578bfbdc5c9fecfe78
SHA1: 0e085f337633b807020596b37dc9c9ccd3ee1a1f
SHA256:9aacd657e0904f0b9c2f5bccbc92456b73debd2106cf0232b33f86dea57ab1c7
Referenced In Projects/Scopes:

  • calcite:sqllineClasspath
  • geode:default
  • geode:compileClasspath
  • geode:runtimeClasspath

Identifiers

micrometer-core-1.2.0.jar (shaded: org.pcollections:pcollections:3.0.3)

Description:

A Persistent Java Collections Library

License:

The MIT License: https://opensource.org/licenses/mit-license.php
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/io.micrometer/micrometer-core/1.2.0/e085f337633b807020596b37dc9c9ccd3ee1a1f/micrometer-core-1.2.0.jar/META-INF/maven/org.pcollections/pcollections/pom.xml
MD5: 35ba5e5a8572be83189294f2607ee97b
SHA1: 312cf913d2d027395cf9cb15a46af2e763e876c6
SHA256:dbd55a6571ebc17f31e4ba012d35aae6d6384d35287e12cb69a02a5597547a42
Referenced In Projects/Scopes:
  • calcite:sqllineClasspath
  • geode:default
  • geode:compileClasspath
  • geode:runtimeClasspath

Identifiers

minlog-1.3.0.jar

Description:

Minimal overhead Java logging

License:

New BSD License: http://www.opensource.org/licenses/bsd-license.php
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/com.esotericsoftware/minlog/1.3.0/ff07b5f1b01d2f92bb00a337f9a94873712f0827/minlog-1.3.0.jar
MD5: 5ab0ee168b90e0ad7010b159e603d304
SHA1: ff07b5f1b01d2f92bb00a337f9a94873712f0827
SHA256:f7b399d3a5478a4f3e0d98bd1c9f47766119c66414bc33aa0f6cde0066f24cc2
Referenced In Projects/Scopes:
  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • spark:runtimeClasspath

Identifiers

mongo-java-driver-3.10.2.jar

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.mongodb/mongo-java-driver/3.10.2/ebd0adedee91359b5dec9c6768e8489f6ad472f2/mongo-java-driver-3.10.2.jar
MD5: 001e135416f6605546a20f8984769256
SHA1: ebd0adedee91359b5dec9c6768e8489f6ad472f2
SHA256:bfeba21e18c3b63e62f3a99cf6787a5e3c0a7453a08e3dde5285e0daa2d6baca
Referenced In Projects/Scopes:

  • calcite:sqllineClasspath
  • mongodb:compileClasspath
  • mongodb:default
  • mongodb:runtimeClasspath

Identifiers

mx4j-3.0.2.jar

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/mx4j/mx4j/3.0.2/47bf147f11b4a026263e1c96a1ea0e029f9e5ab6/mx4j-3.0.2.jar
MD5: 7a242daa907034067c195a4836ed9f16
SHA1: 47bf147f11b4a026263e1c96a1ea0e029f9e5ab6
SHA256:e7e3713e1455dbba454331c9d69567923911bd8fc89e4b5997b6d884b0f58b5c
Referenced In Projects/Scopes:

  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • spark:runtimeClasspath

Identifiers

natty-0.13.jar

Description:

natural language date parser

License:

MIT License: LICENSE
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/com.joestelmach/natty/0.13/5a8bd7504927a9aeaf7bf998a346e56292b6fb2a/natty-0.13.jar
MD5: d5e0b77adc39acb4f9f1c01c08c324c7
SHA1: 5a8bd7504927a9aeaf7bf998a346e56292b6fb2a
SHA256:e9b0512e3dc7b7fa845d34041b58b3e34fdfca20852c2d25fb84ad7566c5815c
Referenced In Projects/Scopes:
  • file:compileClasspath
  • file:runtimeClasspath
  • calcite:sqllineClasspath
  • csv:runtimeClasspath
  • file:default
  • csv:default

Identifiers

netty-3.7.0.Final.jar

Description:

    The Netty project is an effort to provide an asynchronous event-driven
    network application framework and tools for rapid development of
    maintainable high performance and high scalability protocol servers and
    clients.  In other words, Netty is a NIO client server framework which
    enables quick and easy development of network applications such as protocol
    servers and clients. It greatly simplifies and streamlines network
    programming such as TCP and UDP socket server.
  

License:

Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/io.netty/netty/3.7.0.Final/7a8c35599c68c0bf383df74469aa3e03d9aca87/netty-3.7.0.Final.jar
MD5: c9ef3b2f37d581e500a9d6c1efc4ab69
SHA1: 07a8c35599c68c0bf383df74469aa3e03d9aca87
SHA256:aa44be64442b9cbc5edd521476b9f1c272eec6a53dca104cf3032f42ad20ff89
Referenced In Projects/Scopes:
  • piglet:compileClasspath
  • piglet:runtimeClasspath
  • piglet:default

Identifiers

CVE-2014-0193  

WebSocket08FrameDecoder in Netty 3.6.x before 3.6.9, 3.7.x before 3.7.1, 3.8.x before 3.8.2, 3.9.x before 3.9.1, and 4.0.x before 4.0.19 allows remote attackers to cause a denial of service (memory consumption) via a TextWebSocketFrame followed by a long stream of ContinuationWebSocketFrames.
CWE-399 Resource Management Errors

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P

References:

Vulnerable Software & Versions: (show all)

CVE-2014-3488  

The SslHandler in Netty before 3.9.2 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted SSLv2Hello message.
CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P

References:

Vulnerable Software & Versions: (show all)

CVE-2015-2156  

Netty before 3.9.8.Final, 3.10.x before 3.10.3.Final, 4.0.x before 4.0.28.Final, and 4.1.x before 4.1.0.Beta5 and Play Framework 2.x before 2.3.9 might allow remote attackers to bypass the httpOnly flag on cookies and obtain sensitive information by leveraging improper validation of cookie name and value characters.
CWE-20 Improper Input Validation

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2019-16869  

Netty before 4.1.42.Final mishandles whitespace before the colon in HTTP headers (such as a "Transfer-Encoding : chunked" line), which leads to HTTP request smuggling.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2019-20444  

HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that lacks a colon, which might be interpreted as a separate header with an incorrect syntax, or might be interpreted as an "invalid fold."
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:
  • Base Score: MEDIUM (6.4)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:N
CVSSv3:
  • Base Score: CRITICAL (9.1)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2019-20445  

HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length header to be accompanied by a second Content-Length header, or by a Transfer-Encoding header.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:
  • Base Score: MEDIUM (6.4)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:N
CVSSv3:
  • Base Score: CRITICAL (9.1)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-21290  

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty before version 4.1.59.Final there is a vulnerability on Unix-like systems involving an insecure temp file. When netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. On unix-like systems, the temporary directory is shared between all user. As such, writing to this directory using APIs that do not explicitly set the file/directory permissions can lead to information disclosure. Of note, this does not impact modern MacOS Operating Systems. The method "File.createTempFile" on unix-like systems creates a random file, but, by default will create this file with the permissions "-rw-r--r--". Thus, if sensitive information is written to this file, other local users can read this information. This is the case in netty's "AbstractDiskHttpData" is vulnerable. This has been fixed in version 4.1.59.Final. As a workaround, one may specify your own "java.io.tmpdir" when you start the JVM or use "DefaultHttpDataFactory.setBaseDir(...)" to set the directory to something that is only readable by the current user.
CWE-378 Creation of Temporary File With Insecure Permissions, CWE-379 Creation of Temporary File in Directory with Incorrect Permissions

CVSSv2:
  • Base Score: LOW (1.9)
  • Vector: /AV:L/AC:M/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.5)
  • Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-21295  

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.60.Final there is a vulnerability that enables request smuggling. If a Content-Length header is present in the original HTTP/2 request, the field is not validated by `Http2MultiplexHandler` as it is propagated up. This is fine as long as the request is not proxied through as HTTP/1.1. If the request comes in as an HTTP/2 stream, gets converted into the HTTP/1.1 domain objects (`HttpRequest`, `HttpContent`, etc.) via `Http2StreamFrameToHttpObjectCodec `and then sent up to the child channel's pipeline and proxied through a remote peer as HTTP/1.1 this may result in request smuggling. In a proxy case, users may assume the content-length is validated somehow, which is not the case. If the request is forwarded to a backend channel that is a HTTP/1.1 connection, the Content-Length now has meaning and needs to be checked. An attacker can smuggle requests inside the body as it gets downgraded from HTTP/2 to HTTP/1.1. For an example attack refer to the linked GitHub Advisory. Users are only affected if all of this is true: `HTTP2MultiplexCodec` or `Http2FrameCodec` is used, `Http2StreamFrameToHttpObjectCodec` is used to convert to HTTP/1.1 objects, and these HTTP/1.1 objects are forwarded to another remote peer. This has been patched in 4.1.60.Final As a workaround, the user can do the validation by themselves by implementing a custom `ChannelInboundHandler` that is put in the `ChannelPipeline` behind `Http2StreamFrameToHttpObjectCodec`.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:
  • Base Score: LOW (2.6)
  • Vector: /AV:N/AC:H/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (5.9)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions:

CVE-2021-21409  

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case. This was fixed as part of 4.1.61.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (5.9)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions:

POODLE vulnerability in SSLv3.0 support (OSSINDEX)  

The SSLv3 support is vulnerable to a POODLE attack. SSLv3 should be disabled pending implementation of TLS_FALLBACK_SCSV by Oracle.
Unscored:
  • Severity: Unknown

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:io.netty:netty:3.7.0.Final:*:*:*:*:*:*:*

netty-3.9.9.Final.jar

Description:

    The Netty project is an effort to provide an asynchronous event-driven
    network application framework and tools for rapid development of
    maintainable high performance and high scalability protocol servers and
    clients.  In other words, Netty is a NIO client server framework which
    enables quick and easy development of network applications such as protocol
    servers and clients. It greatly simplifies and streamlines network
    programming such as TCP and UDP socket server.
  

License:

Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/io.netty/netty/3.9.9.Final/58e0a7e7ff773f84d02d4f006ae9dd31ad22a0b1/netty-3.9.9.Final.jar
MD5: cff043f83e1e74a25819082405057517
SHA1: 58e0a7e7ff773f84d02d4f006ae9dd31ad22a0b1
SHA256:697af248e216c9e158b3c9d6702f54541188fc92de19ac9d2f5496f80bce7aba
Referenced In Projects/Scopes:
  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • spark:runtimeClasspath

Identifiers

CVE-2019-16869  

Netty before 4.1.42.Final mishandles whitespace before the colon in HTTP headers (such as a "Transfer-Encoding : chunked" line), which leads to HTTP request smuggling.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2019-20444  

HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that lacks a colon, which might be interpreted as a separate header with an incorrect syntax, or might be interpreted as an "invalid fold."
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:
  • Base Score: MEDIUM (6.4)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:N
CVSSv3:
  • Base Score: CRITICAL (9.1)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2019-20445  

HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length header to be accompanied by a second Content-Length header, or by a Transfer-Encoding header.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:
  • Base Score: MEDIUM (6.4)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:N
CVSSv3:
  • Base Score: CRITICAL (9.1)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-21290  

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty before version 4.1.59.Final there is a vulnerability on Unix-like systems involving an insecure temp file. When netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. On unix-like systems, the temporary directory is shared between all user. As such, writing to this directory using APIs that do not explicitly set the file/directory permissions can lead to information disclosure. Of note, this does not impact modern MacOS Operating Systems. The method "File.createTempFile" on unix-like systems creates a random file, but, by default will create this file with the permissions "-rw-r--r--". Thus, if sensitive information is written to this file, other local users can read this information. This is the case in netty's "AbstractDiskHttpData" is vulnerable. This has been fixed in version 4.1.59.Final. As a workaround, one may specify your own "java.io.tmpdir" when you start the JVM or use "DefaultHttpDataFactory.setBaseDir(...)" to set the directory to something that is only readable by the current user.
CWE-378 Creation of Temporary File With Insecure Permissions, CWE-379 Creation of Temporary File in Directory with Incorrect Permissions

CVSSv2:
  • Base Score: LOW (1.9)
  • Vector: /AV:L/AC:M/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.5)
  • Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-21295  

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.60.Final there is a vulnerability that enables request smuggling. If a Content-Length header is present in the original HTTP/2 request, the field is not validated by `Http2MultiplexHandler` as it is propagated up. This is fine as long as the request is not proxied through as HTTP/1.1. If the request comes in as an HTTP/2 stream, gets converted into the HTTP/1.1 domain objects (`HttpRequest`, `HttpContent`, etc.) via `Http2StreamFrameToHttpObjectCodec `and then sent up to the child channel's pipeline and proxied through a remote peer as HTTP/1.1 this may result in request smuggling. In a proxy case, users may assume the content-length is validated somehow, which is not the case. If the request is forwarded to a backend channel that is a HTTP/1.1 connection, the Content-Length now has meaning and needs to be checked. An attacker can smuggle requests inside the body as it gets downgraded from HTTP/2 to HTTP/1.1. For an example attack refer to the linked GitHub Advisory. Users are only affected if all of this is true: `HTTP2MultiplexCodec` or `Http2FrameCodec` is used, `Http2StreamFrameToHttpObjectCodec` is used to convert to HTTP/1.1 objects, and these HTTP/1.1 objects are forwarded to another remote peer. This has been patched in 4.1.60.Final As a workaround, the user can do the validation by themselves by implementing a custom `ChannelInboundHandler` that is put in the `ChannelPipeline` behind `Http2StreamFrameToHttpObjectCodec`.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:
  • Base Score: LOW (2.6)
  • Vector: /AV:N/AC:H/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (5.9)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions:

CVE-2021-21409  

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case. This was fixed as part of 4.1.61.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (5.9)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions:

netty-all-4.0.43.Final.jar

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/io.netty/netty-all/4.0.43.Final/9781746a179070e886e1fb4b1971a6bbf02061a4/netty-all-4.0.43.Final.jar
MD5: 27eaaaa1996fbbd1195deb7e1b20a71c
SHA1: 9781746a179070e886e1fb4b1971a6bbf02061a4
SHA256:fe754fb5d8bd2d088fc92fcfa97297f1e8055b43d4fd64b01179a00a978a692d
Referenced In Projects/Scopes:

  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • spark:runtimeClasspath

Identifiers

CVE-2019-16869  

Netty before 4.1.42.Final mishandles whitespace before the colon in HTTP headers (such as a "Transfer-Encoding : chunked" line), which leads to HTTP request smuggling.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2019-20444  

HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that lacks a colon, which might be interpreted as a separate header with an incorrect syntax, or might be interpreted as an "invalid fold."
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:
  • Base Score: MEDIUM (6.4)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:N
CVSSv3:
  • Base Score: CRITICAL (9.1)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2019-20445  

HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length header to be accompanied by a second Content-Length header, or by a Transfer-Encoding header.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:
  • Base Score: MEDIUM (6.4)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:N
CVSSv3:
  • Base Score: CRITICAL (9.1)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-21290  

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty before version 4.1.59.Final there is a vulnerability on Unix-like systems involving an insecure temp file. When netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. On unix-like systems, the temporary directory is shared between all user. As such, writing to this directory using APIs that do not explicitly set the file/directory permissions can lead to information disclosure. Of note, this does not impact modern MacOS Operating Systems. The method "File.createTempFile" on unix-like systems creates a random file, but, by default will create this file with the permissions "-rw-r--r--". Thus, if sensitive information is written to this file, other local users can read this information. This is the case in netty's "AbstractDiskHttpData" is vulnerable. This has been fixed in version 4.1.59.Final. As a workaround, one may specify your own "java.io.tmpdir" when you start the JVM or use "DefaultHttpDataFactory.setBaseDir(...)" to set the directory to something that is only readable by the current user.
CWE-378 Creation of Temporary File With Insecure Permissions, CWE-379 Creation of Temporary File in Directory with Incorrect Permissions

CVSSv2:
  • Base Score: LOW (1.9)
  • Vector: /AV:L/AC:M/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.5)
  • Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-21295  

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.60.Final there is a vulnerability that enables request smuggling. If a Content-Length header is present in the original HTTP/2 request, the field is not validated by `Http2MultiplexHandler` as it is propagated up. This is fine as long as the request is not proxied through as HTTP/1.1. If the request comes in as an HTTP/2 stream, gets converted into the HTTP/1.1 domain objects (`HttpRequest`, `HttpContent`, etc.) via `Http2StreamFrameToHttpObjectCodec `and then sent up to the child channel's pipeline and proxied through a remote peer as HTTP/1.1 this may result in request smuggling. In a proxy case, users may assume the content-length is validated somehow, which is not the case. If the request is forwarded to a backend channel that is a HTTP/1.1 connection, the Content-Length now has meaning and needs to be checked. An attacker can smuggle requests inside the body as it gets downgraded from HTTP/2 to HTTP/1.1. For an example attack refer to the linked GitHub Advisory. Users are only affected if all of this is true: `HTTP2MultiplexCodec` or `Http2FrameCodec` is used, `Http2StreamFrameToHttpObjectCodec` is used to convert to HTTP/1.1 objects, and these HTTP/1.1 objects are forwarded to another remote peer. This has been patched in 4.1.60.Final As a workaround, the user can do the validation by themselves by implementing a custom `ChannelInboundHandler` that is put in the `ChannelPipeline` behind `Http2StreamFrameToHttpObjectCodec`.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:
  • Base Score: LOW (2.6)
  • Vector: /AV:N/AC:H/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (5.9)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions:

CVE-2021-21409  

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case. This was fixed as part of 4.1.61.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (5.9)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions:

netty-buffer-4.0.56.Final.jar

Description:

Netty is an asynchronous event-driven network application framework for    rapid development of maintainable high performance protocol servers and    clients.

License:

http://www.apache.org/licenses/LICENSE-2.0
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/io.netty/netty-buffer/4.0.56.Final/b39eb8a9e5c99a31773fe7fc93523fd379d7a71/netty-buffer-4.0.56.Final.jar
MD5: b99393d447c142d0df3d9e161d1018f4
SHA1: 0b39eb8a9e5c99a31773fe7fc93523fd379d7a71
SHA256:055f5ccfd7f9683c5d961fbf4466778d5b91ebf8b1f2ddd2eed539a82352b695
Referenced In Projects/Scopes:
  • cassandra:compileClasspath
  • calcite:sqllineClasspath
  • cassandra:runtimeClasspath
  • cassandra:default

Identifiers

CVE-2019-16869  

Netty before 4.1.42.Final mishandles whitespace before the colon in HTTP headers (such as a "Transfer-Encoding : chunked" line), which leads to HTTP request smuggling.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2019-20444  

HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that lacks a colon, which might be interpreted as a separate header with an incorrect syntax, or might be interpreted as an "invalid fold."
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:
  • Base Score: MEDIUM (6.4)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:N
CVSSv3:
  • Base Score: CRITICAL (9.1)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2019-20445  

HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length header to be accompanied by a second Content-Length header, or by a Transfer-Encoding header.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:
  • Base Score: MEDIUM (6.4)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:N
CVSSv3:
  • Base Score: CRITICAL (9.1)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-21290  

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty before version 4.1.59.Final there is a vulnerability on Unix-like systems involving an insecure temp file. When netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. On unix-like systems, the temporary directory is shared between all user. As such, writing to this directory using APIs that do not explicitly set the file/directory permissions can lead to information disclosure. Of note, this does not impact modern MacOS Operating Systems. The method "File.createTempFile" on unix-like systems creates a random file, but, by default will create this file with the permissions "-rw-r--r--". Thus, if sensitive information is written to this file, other local users can read this information. This is the case in netty's "AbstractDiskHttpData" is vulnerable. This has been fixed in version 4.1.59.Final. As a workaround, one may specify your own "java.io.tmpdir" when you start the JVM or use "DefaultHttpDataFactory.setBaseDir(...)" to set the directory to something that is only readable by the current user.
CWE-378 Creation of Temporary File With Insecure Permissions, CWE-379 Creation of Temporary File in Directory with Incorrect Permissions

CVSSv2:
  • Base Score: LOW (1.9)
  • Vector: /AV:L/AC:M/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.5)
  • Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-21295  

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.60.Final there is a vulnerability that enables request smuggling. If a Content-Length header is present in the original HTTP/2 request, the field is not validated by `Http2MultiplexHandler` as it is propagated up. This is fine as long as the request is not proxied through as HTTP/1.1. If the request comes in as an HTTP/2 stream, gets converted into the HTTP/1.1 domain objects (`HttpRequest`, `HttpContent`, etc.) via `Http2StreamFrameToHttpObjectCodec `and then sent up to the child channel's pipeline and proxied through a remote peer as HTTP/1.1 this may result in request smuggling. In a proxy case, users may assume the content-length is validated somehow, which is not the case. If the request is forwarded to a backend channel that is a HTTP/1.1 connection, the Content-Length now has meaning and needs to be checked. An attacker can smuggle requests inside the body as it gets downgraded from HTTP/2 to HTTP/1.1. For an example attack refer to the linked GitHub Advisory. Users are only affected if all of this is true: `HTTP2MultiplexCodec` or `Http2FrameCodec` is used, `Http2StreamFrameToHttpObjectCodec` is used to convert to HTTP/1.1 objects, and these HTTP/1.1 objects are forwarded to another remote peer. This has been patched in 4.1.60.Final As a workaround, the user can do the validation by themselves by implementing a custom `ChannelInboundHandler` that is put in the `ChannelPipeline` behind `Http2StreamFrameToHttpObjectCodec`.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:
  • Base Score: LOW (2.6)
  • Vector: /AV:N/AC:H/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (5.9)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions:

CVE-2021-21409  

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case. This was fixed as part of 4.1.61.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (5.9)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions:

netty-codec-4.0.56.Final.jar

Description:

Netty is an asynchronous event-driven network application framework for    rapid development of maintainable high performance protocol servers and    clients.

License:

http://www.apache.org/licenses/LICENSE-2.0
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec/4.0.56.Final/bd9ecf1cf3721bbedfd2fb0c52d4f56803ff270d/netty-codec-4.0.56.Final.jar
MD5: 663d30a9b118bab61dad8824d9f99eda
SHA1: bd9ecf1cf3721bbedfd2fb0c52d4f56803ff270d
SHA256:f5921cb7f0f7a9188241321cbab4e208c75d49f4b97fae46eed01e60ef57800f
Referenced In Projects/Scopes:
  • cassandra:compileClasspath
  • calcite:sqllineClasspath
  • cassandra:runtimeClasspath
  • cassandra:default

Identifiers

CVE-2019-16869  

Netty before 4.1.42.Final mishandles whitespace before the colon in HTTP headers (such as a "Transfer-Encoding : chunked" line), which leads to HTTP request smuggling.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2019-20444  

HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that lacks a colon, which might be interpreted as a separate header with an incorrect syntax, or might be interpreted as an "invalid fold."
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:
  • Base Score: MEDIUM (6.4)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:N
CVSSv3:
  • Base Score: CRITICAL (9.1)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2019-20445  

HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length header to be accompanied by a second Content-Length header, or by a Transfer-Encoding header.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:
  • Base Score: MEDIUM (6.4)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:N
CVSSv3:
  • Base Score: CRITICAL (9.1)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-21290  

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty before version 4.1.59.Final there is a vulnerability on Unix-like systems involving an insecure temp file. When netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. On unix-like systems, the temporary directory is shared between all user. As such, writing to this directory using APIs that do not explicitly set the file/directory permissions can lead to information disclosure. Of note, this does not impact modern MacOS Operating Systems. The method "File.createTempFile" on unix-like systems creates a random file, but, by default will create this file with the permissions "-rw-r--r--". Thus, if sensitive information is written to this file, other local users can read this information. This is the case in netty's "AbstractDiskHttpData" is vulnerable. This has been fixed in version 4.1.59.Final. As a workaround, one may specify your own "java.io.tmpdir" when you start the JVM or use "DefaultHttpDataFactory.setBaseDir(...)" to set the directory to something that is only readable by the current user.
CWE-378 Creation of Temporary File With Insecure Permissions, CWE-379 Creation of Temporary File in Directory with Incorrect Permissions

CVSSv2:
  • Base Score: LOW (1.9)
  • Vector: /AV:L/AC:M/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.5)
  • Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-21295  

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.60.Final there is a vulnerability that enables request smuggling. If a Content-Length header is present in the original HTTP/2 request, the field is not validated by `Http2MultiplexHandler` as it is propagated up. This is fine as long as the request is not proxied through as HTTP/1.1. If the request comes in as an HTTP/2 stream, gets converted into the HTTP/1.1 domain objects (`HttpRequest`, `HttpContent`, etc.) via `Http2StreamFrameToHttpObjectCodec `and then sent up to the child channel's pipeline and proxied through a remote peer as HTTP/1.1 this may result in request smuggling. In a proxy case, users may assume the content-length is validated somehow, which is not the case. If the request is forwarded to a backend channel that is a HTTP/1.1 connection, the Content-Length now has meaning and needs to be checked. An attacker can smuggle requests inside the body as it gets downgraded from HTTP/2 to HTTP/1.1. For an example attack refer to the linked GitHub Advisory. Users are only affected if all of this is true: `HTTP2MultiplexCodec` or `Http2FrameCodec` is used, `Http2StreamFrameToHttpObjectCodec` is used to convert to HTTP/1.1 objects, and these HTTP/1.1 objects are forwarded to another remote peer. This has been patched in 4.1.60.Final As a workaround, the user can do the validation by themselves by implementing a custom `ChannelInboundHandler` that is put in the `ChannelPipeline` behind `Http2StreamFrameToHttpObjectCodec`.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:
  • Base Score: LOW (2.6)
  • Vector: /AV:N/AC:H/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (5.9)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions:

CVE-2021-21409  

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case. This was fixed as part of 4.1.61.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (5.9)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions:

netty-common-4.0.56.Final.jar

Description:

Netty is an asynchronous event-driven network application framework for    rapid development of maintainable high performance protocol servers and    clients.

License:

http://www.apache.org/licenses/LICENSE-2.0
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/io.netty/netty-common/4.0.56.Final/b0cd4003e71c5b1b43344bf58050f2133f27bac9/netty-common-4.0.56.Final.jar
MD5: afa9c32ec2a11fe0bc23a82a432c9451
SHA1: b0cd4003e71c5b1b43344bf58050f2133f27bac9
SHA256:5d50a53f063c6544433951a04099b0eec17ddd5a1c7f5b0c63f38912daef1677
Referenced In Projects/Scopes:
  • cassandra:compileClasspath
  • calcite:sqllineClasspath
  • cassandra:runtimeClasspath
  • cassandra:default

Identifiers

CVE-2019-16869  

Netty before 4.1.42.Final mishandles whitespace before the colon in HTTP headers (such as a "Transfer-Encoding : chunked" line), which leads to HTTP request smuggling.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2019-20444  

HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that lacks a colon, which might be interpreted as a separate header with an incorrect syntax, or might be interpreted as an "invalid fold."
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:
  • Base Score: MEDIUM (6.4)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:N
CVSSv3:
  • Base Score: CRITICAL (9.1)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2019-20445  

HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length header to be accompanied by a second Content-Length header, or by a Transfer-Encoding header.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:
  • Base Score: MEDIUM (6.4)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:N
CVSSv3:
  • Base Score: CRITICAL (9.1)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-21290  

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty before version 4.1.59.Final there is a vulnerability on Unix-like systems involving an insecure temp file. When netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. On unix-like systems, the temporary directory is shared between all user. As such, writing to this directory using APIs that do not explicitly set the file/directory permissions can lead to information disclosure. Of note, this does not impact modern MacOS Operating Systems. The method "File.createTempFile" on unix-like systems creates a random file, but, by default will create this file with the permissions "-rw-r--r--". Thus, if sensitive information is written to this file, other local users can read this information. This is the case in netty's "AbstractDiskHttpData" is vulnerable. This has been fixed in version 4.1.59.Final. As a workaround, one may specify your own "java.io.tmpdir" when you start the JVM or use "DefaultHttpDataFactory.setBaseDir(...)" to set the directory to something that is only readable by the current user.
CWE-378 Creation of Temporary File With Insecure Permissions, CWE-379 Creation of Temporary File in Directory with Incorrect Permissions

CVSSv2:
  • Base Score: LOW (1.9)
  • Vector: /AV:L/AC:M/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.5)
  • Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-21295  

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.60.Final there is a vulnerability that enables request smuggling. If a Content-Length header is present in the original HTTP/2 request, the field is not validated by `Http2MultiplexHandler` as it is propagated up. This is fine as long as the request is not proxied through as HTTP/1.1. If the request comes in as an HTTP/2 stream, gets converted into the HTTP/1.1 domain objects (`HttpRequest`, `HttpContent`, etc.) via `Http2StreamFrameToHttpObjectCodec `and then sent up to the child channel's pipeline and proxied through a remote peer as HTTP/1.1 this may result in request smuggling. In a proxy case, users may assume the content-length is validated somehow, which is not the case. If the request is forwarded to a backend channel that is a HTTP/1.1 connection, the Content-Length now has meaning and needs to be checked. An attacker can smuggle requests inside the body as it gets downgraded from HTTP/2 to HTTP/1.1. For an example attack refer to the linked GitHub Advisory. Users are only affected if all of this is true: `HTTP2MultiplexCodec` or `Http2FrameCodec` is used, `Http2StreamFrameToHttpObjectCodec` is used to convert to HTTP/1.1 objects, and these HTTP/1.1 objects are forwarded to another remote peer. This has been patched in 4.1.60.Final As a workaround, the user can do the validation by themselves by implementing a custom `ChannelInboundHandler` that is put in the `ChannelPipeline` behind `Http2StreamFrameToHttpObjectCodec`.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:
  • Base Score: LOW (2.6)
  • Vector: /AV:N/AC:H/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (5.9)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions:

CVE-2021-21409  

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case. This was fixed as part of 4.1.61.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (5.9)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions:

netty-common-4.0.56.Final.jar (shaded: org.jctools:jctools-core:2.1.1)

Description:

Java Concurrency Tools Core Library

License:

Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/io.netty/netty-common/4.0.56.Final/b0cd4003e71c5b1b43344bf58050f2133f27bac9/netty-common-4.0.56.Final.jar/META-INF/maven/org.jctools/jctools-core/pom.xml
MD5: d532029de01ef1c790266dea91b1ecdc
SHA1: f9571c65e428d21c795a34de2b217419dfc0e2f7
SHA256:db8f1cd5b23d38e3dcf7020d739e1c2f9559489051291d8a07095e62b8d7f750
Referenced In Projects/Scopes:
  • cassandra:compileClasspath
  • calcite:sqllineClasspath
  • cassandra:runtimeClasspath
  • cassandra:default

Identifiers

netty-handler-4.0.56.Final.jar

Description:

Netty is an asynchronous event-driven network application framework for    rapid development of maintainable high performance protocol servers and    clients.

License:

http://www.apache.org/licenses/LICENSE-2.0
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/io.netty/netty-handler/4.0.56.Final/bf3ee7d214897d3968c1d29a28ee6d5f964876ae/netty-handler-4.0.56.Final.jar
MD5: 1905d61b3a8a16b53ce49a67771fd48d
SHA1: bf3ee7d214897d3968c1d29a28ee6d5f964876ae
SHA256:b1a634a593bb9d1c3e881817991aa5e5fe34b338295ccc1f464511d0af809c61
Referenced In Projects/Scopes:
  • cassandra:compileClasspath
  • calcite:sqllineClasspath
  • cassandra:runtimeClasspath
  • cassandra:default

Identifiers

CVE-2019-16869  

Netty before 4.1.42.Final mishandles whitespace before the colon in HTTP headers (such as a "Transfer-Encoding : chunked" line), which leads to HTTP request smuggling.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2019-20444  

HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that lacks a colon, which might be interpreted as a separate header with an incorrect syntax, or might be interpreted as an "invalid fold."
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:
  • Base Score: MEDIUM (6.4)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:N
CVSSv3:
  • Base Score: CRITICAL (9.1)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2019-20445  

HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length header to be accompanied by a second Content-Length header, or by a Transfer-Encoding header.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:
  • Base Score: MEDIUM (6.4)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:N
CVSSv3:
  • Base Score: CRITICAL (9.1)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-21290  

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty before version 4.1.59.Final there is a vulnerability on Unix-like systems involving an insecure temp file. When netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. On unix-like systems, the temporary directory is shared between all user. As such, writing to this directory using APIs that do not explicitly set the file/directory permissions can lead to information disclosure. Of note, this does not impact modern MacOS Operating Systems. The method "File.createTempFile" on unix-like systems creates a random file, but, by default will create this file with the permissions "-rw-r--r--". Thus, if sensitive information is written to this file, other local users can read this information. This is the case in netty's "AbstractDiskHttpData" is vulnerable. This has been fixed in version 4.1.59.Final. As a workaround, one may specify your own "java.io.tmpdir" when you start the JVM or use "DefaultHttpDataFactory.setBaseDir(...)" to set the directory to something that is only readable by the current user.
CWE-378 Creation of Temporary File With Insecure Permissions, CWE-379 Creation of Temporary File in Directory with Incorrect Permissions

CVSSv2:
  • Base Score: LOW (1.9)
  • Vector: /AV:L/AC:M/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.5)
  • Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-21295  

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.60.Final there is a vulnerability that enables request smuggling. If a Content-Length header is present in the original HTTP/2 request, the field is not validated by `Http2MultiplexHandler` as it is propagated up. This is fine as long as the request is not proxied through as HTTP/1.1. If the request comes in as an HTTP/2 stream, gets converted into the HTTP/1.1 domain objects (`HttpRequest`, `HttpContent`, etc.) via `Http2StreamFrameToHttpObjectCodec `and then sent up to the child channel's pipeline and proxied through a remote peer as HTTP/1.1 this may result in request smuggling. In a proxy case, users may assume the content-length is validated somehow, which is not the case. If the request is forwarded to a backend channel that is a HTTP/1.1 connection, the Content-Length now has meaning and needs to be checked. An attacker can smuggle requests inside the body as it gets downgraded from HTTP/2 to HTTP/1.1. For an example attack refer to the linked GitHub Advisory. Users are only affected if all of this is true: `HTTP2MultiplexCodec` or `Http2FrameCodec` is used, `Http2StreamFrameToHttpObjectCodec` is used to convert to HTTP/1.1 objects, and these HTTP/1.1 objects are forwarded to another remote peer. This has been patched in 4.1.60.Final As a workaround, the user can do the validation by themselves by implementing a custom `ChannelInboundHandler` that is put in the `ChannelPipeline` behind `Http2StreamFrameToHttpObjectCodec`.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:
  • Base Score: LOW (2.6)
  • Vector: /AV:N/AC:H/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (5.9)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions:

CVE-2021-21409  

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case. This was fixed as part of 4.1.61.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (5.9)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions:

netty-transport-4.0.56.Final.jar

Description:

Netty is an asynchronous event-driven network application framework for    rapid development of maintainable high performance protocol servers and    clients.

License:

http://www.apache.org/licenses/LICENSE-2.0
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/io.netty/netty-transport/4.0.56.Final/535223be500f76fd02b271e4c15c8678d10830ab/netty-transport-4.0.56.Final.jar
MD5: 08acfd4dc9a6ea1569dca5ab11824979
SHA1: 535223be500f76fd02b271e4c15c8678d10830ab
SHA256:adec23f7790a138014a15eff4c85939cddec63d49f9ef0810725cb4aa5518199
Referenced In Projects/Scopes:
  • cassandra:compileClasspath
  • calcite:sqllineClasspath
  • cassandra:runtimeClasspath
  • cassandra:default

Identifiers

CVE-2019-16869  

Netty before 4.1.42.Final mishandles whitespace before the colon in HTTP headers (such as a "Transfer-Encoding : chunked" line), which leads to HTTP request smuggling.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2019-20444  

HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that lacks a colon, which might be interpreted as a separate header with an incorrect syntax, or might be interpreted as an "invalid fold."
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:
  • Base Score: MEDIUM (6.4)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:N
CVSSv3:
  • Base Score: CRITICAL (9.1)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2019-20445  

HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length header to be accompanied by a second Content-Length header, or by a Transfer-Encoding header.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:
  • Base Score: MEDIUM (6.4)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:N
CVSSv3:
  • Base Score: CRITICAL (9.1)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-21290  

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty before version 4.1.59.Final there is a vulnerability on Unix-like systems involving an insecure temp file. When netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. On unix-like systems, the temporary directory is shared between all user. As such, writing to this directory using APIs that do not explicitly set the file/directory permissions can lead to information disclosure. Of note, this does not impact modern MacOS Operating Systems. The method "File.createTempFile" on unix-like systems creates a random file, but, by default will create this file with the permissions "-rw-r--r--". Thus, if sensitive information is written to this file, other local users can read this information. This is the case in netty's "AbstractDiskHttpData" is vulnerable. This has been fixed in version 4.1.59.Final. As a workaround, one may specify your own "java.io.tmpdir" when you start the JVM or use "DefaultHttpDataFactory.setBaseDir(...)" to set the directory to something that is only readable by the current user.
CWE-378 Creation of Temporary File With Insecure Permissions, CWE-379 Creation of Temporary File in Directory with Incorrect Permissions

CVSSv2:
  • Base Score: LOW (1.9)
  • Vector: /AV:L/AC:M/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.5)
  • Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-21295  

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.60.Final there is a vulnerability that enables request smuggling. If a Content-Length header is present in the original HTTP/2 request, the field is not validated by `Http2MultiplexHandler` as it is propagated up. This is fine as long as the request is not proxied through as HTTP/1.1. If the request comes in as an HTTP/2 stream, gets converted into the HTTP/1.1 domain objects (`HttpRequest`, `HttpContent`, etc.) via `Http2StreamFrameToHttpObjectCodec `and then sent up to the child channel's pipeline and proxied through a remote peer as HTTP/1.1 this may result in request smuggling. In a proxy case, users may assume the content-length is validated somehow, which is not the case. If the request is forwarded to a backend channel that is a HTTP/1.1 connection, the Content-Length now has meaning and needs to be checked. An attacker can smuggle requests inside the body as it gets downgraded from HTTP/2 to HTTP/1.1. For an example attack refer to the linked GitHub Advisory. Users are only affected if all of this is true: `HTTP2MultiplexCodec` or `Http2FrameCodec` is used, `Http2StreamFrameToHttpObjectCodec` is used to convert to HTTP/1.1 objects, and these HTTP/1.1 objects are forwarded to another remote peer. This has been patched in 4.1.60.Final As a workaround, the user can do the validation by themselves by implementing a custom `ChannelInboundHandler` that is put in the `ChannelPipeline` behind `Http2StreamFrameToHttpObjectCodec`.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:
  • Base Score: LOW (2.6)
  • Vector: /AV:N/AC:H/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (5.9)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions:

CVE-2021-21409  

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case. This was fixed as part of 4.1.61.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (5.9)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions:

objenesis-2.1.jar

Description:

A library for instantiating Java objects

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.objenesis/objenesis/2.1/87c0ea803b69252868d09308b4618f766f135a96/objenesis-2.1.jar
MD5: 32ccb1d20a42b5aaaceb90c9082a2efa
SHA1: 87c0ea803b69252868d09308b4618f766f135a96
SHA256:c74330cc6b806c804fd37e74487b4fe5d7c2750c5e15fbc6efa13bdee1bdef80
Referenced In Projects/Scopes:
  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • spark:runtimeClasspath

Identifiers

opencsv-2.3.jar

Description:

A simple library for reading and writing CSV in Java

License:

Apache 2: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/net.sf.opencsv/opencsv/2.3/c23708cdb9e80a144db433e23344a788a1fd6599/opencsv-2.3.jar
MD5: 9eebabaa007dc329845e5ab3c12b4e6b
SHA1: c23708cdb9e80a144db433e23344a788a1fd6599
SHA256:dc0ba5bff6140dc92339973026a0ecbddc2a3b01bdd46ed9d16becc2f6d78de6
Referenced In Projects/Scopes:
  • file:compileClasspath
  • splunk:runtimeClasspath
  • file:runtimeClasspath
  • calcite:sqllineClasspath
  • splunk:default
  • csv:runtimeClasspath
  • file:default
  • splunk:compileClasspath
  • csv:default

Identifiers

oro-2.0.8.jar

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/oro/oro/2.0.8/5592374f834645c4ae250f4c9fbb314c9369d698/oro-2.0.8.jar
MD5: 42e940d5d2d822f4dc04c65053e630ab
SHA1: 5592374f834645c4ae250f4c9fbb314c9369d698
SHA256:e00ccdad5df7eb43fdee44232ef64602bf63807c2d133a7be83ba09fd49af26e
Referenced In Projects/Scopes:

  • piglet:compileClasspath
  • piglet:runtimeClasspath
  • calcite:sqllineClasspath
  • pig:runtimeClasspath
  • spark:default
  • spark:compileClasspath
  • piglet:default
  • pig:default
  • spark:runtimeClasspath
  • pig:compileClasspath

Identifiers

osgi-resource-locator-1.0.1.jar

Description:

 See http://wiki.glassfish.java.net/Wiki.jsp?page=JdkSpiOsgi for more information

License:

https://glassfish.dev.java.net/nonav/public/CDDL+GPL.html
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.glassfish.hk2/osgi-resource-locator/1.0.1/4ed2b2d4738aed5786cfa64cba5a332779c4c708/osgi-resource-locator-1.0.1.jar
MD5: 51e70ad8fc9d1e9fb19debeb55555b75
SHA1: 4ed2b2d4738aed5786cfa64cba5a332779c4c708
SHA256:775003be577e8806f51b6e442be1033d83be2cb2207227b349be0bf16e6c0843
Referenced In Projects/Scopes:
  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • spark:runtimeClasspath

Identifiers

paranamer-2.3.jar

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/com.thoughtworks.paranamer/paranamer/2.3/4a85963a752c0a2f715c3924bfc686865e7e1bc6/paranamer-2.3.jar
MD5: e3060bebfe449abeb277e77c4c3388cb
SHA1: 4a85963a752c0a2f715c3924bfc686865e7e1bc6
SHA256:e93f50ae4d0de11080677f44ab268691266fed2b3ff7bc6fd97636febae7d8fe
Referenced In Projects/Scopes:

  • piglet:compileClasspath
  • piglet:runtimeClasspath
  • pig:runtimeClasspath
  • piglet:default
  • pig:default
  • pig:compileClasspath

Identifiers

paranamer-2.8.jar

Description:

Paranamer allows runtime access to constructor and method parameter names for Java classes

License:

LICENSE.txt
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/com.thoughtworks.paranamer/paranamer/2.8/619eba74c19ccf1da8ebec97a2d7f8ba05773dd6/paranamer-2.8.jar
MD5: f213c72b67d4850f17a4a3e9064904de
SHA1: 619eba74c19ccf1da8ebec97a2d7f8ba05773dd6
SHA256:688cb118a6021d819138e855208c956031688be4b47a24bb615becc63acedf07
Referenced In Projects/Scopes:
  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • spark:runtimeClasspath

Identifiers

picocli-4.1.4.jar

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/info.picocli/picocli/4.1.4/e9ac7856611815391f85ac66c8ceadacb51250b5/picocli-4.1.4.jar
MD5: 28605e00382694eb4944d5edb340cb5b
SHA1: e9ac7856611815391f85ac66c8ceadacb51250b5
SHA256:4649b93987327cbd4abb44bd24870ff49e3f8faf2fd5c32c0ade28ec9c213687
Referenced In Projects/Scopes:

  • splunk:checkstyle
  • cassandra:checkstyle
  • piglet:checkstyle
  • calcite:checkstyle
  • bom:checkstyle
  • function:checkstyle
  • spark:checkstyle
  • plus:checkstyle
  • pig:checkstyle
  • druid:checkstyle
  • csv:checkstyle
  • core:checkstyle
  • server:checkstyle
  • file:checkstyle
  • geode:checkstyle
  • mongodb:checkstyle
  • elasticsearch:checkstyle
  • release:checkstyle
  • kafka:checkstyle
  • ubenchmark:checkstyle
  • linq4j:checkstyle
  • redis:checkstyle
  • babel:checkstyle
  • example:checkstyle
  • innodb:checkstyle

Identifiers

pig-0.16.0-h2.jar

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.pig/pig/0.16.0/cad5f4e97b6c02c7b4585c9c1ae772184c61b88c/pig-0.16.0-h2.jar
MD5: c44f6cd4ec923abd3d14ff86b0312f50
SHA1: cad5f4e97b6c02c7b4585c9c1ae772184c61b88c
SHA256:a54b59e95e571145646ca9597c6c39e6a188216d25aa2c82980c8588d00ad6c7
Referenced In Projects/Scopes:

  • piglet:compileClasspath
  • piglet:runtimeClasspath
  • calcite:sqllineClasspath
  • pig:runtimeClasspath
  • piglet:default
  • pig:default
  • pig:compileClasspath

Identifiers

protobuf-java-3.6.1.jar

Description:

    Core Protocol Buffers library. Protocol Buffers are a way of encoding structured data in an
    efficient yet extensible format.
  

License:

https://opensource.org/licenses/BSD-3-Clause
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/com.google.protobuf/protobuf-java/3.6.1/d06d46ecfd92ec6d0f3b423b4cd81cb38d8b924/protobuf-java-3.6.1.jar
MD5: 17b60a7d277343a16fe881d18adecc0b
SHA1: 0d06d46ecfd92ec6d0f3b423b4cd81cb38d8b924
SHA256:fb66d913ff0578553b2e28a3338cbbbe2657e6cfe0e98d939f23aea219daf508
Referenced In Projects/Scopes:
  • cassandra:compileClasspath
  • piglet:compileClasspath
  • piglet:runtimeClasspath
  • spark:default
  • splunk:default
  • kafka:default
  • spark:compileClasspath
  • server:runtimeClasspath
  • cassandra:runtimeClasspath
  • druid:default
  • spark:runtimeClasspath
  • linq4j:runtimeClasspath
  • linq4j:default
  • druid:compileClasspath
  • plus:compileClasspath
  • linq4j:compileClasspath
  • pig:default
  • plus:runtimeClasspath
  • splunk:compileClasspath
  • function:default
  • file:compileClasspath
  • core:implementationDependenciesMetadata
  • kafka:runtimeClasspath
  • splunk:runtimeClasspath
  • file:runtimeClasspath
  • innodb:runtimeClasspath
  • elasticsearch:default
  • kafka:compileClasspath
  • druid:runtimeClasspath
  • mongodb:default
  • cassandra:default
  • babel:default
  • function:runtimeClasspath
  • redis:compileClasspath
  • redis:runtimeClasspath
  • core:default
  • function:compileClasspath
  • elasticsearch:compileClasspath
  • babel:runtimeClasspath
  • elasticsearch:runtimeClasspath
  • innodb:default
  • piglet:default
  • babel:compileClasspath
  • csv:default
  • innodb:compileClasspath
  • core:compileClasspath
  • calcite:sqllineClasspath
  • core:runtimeClasspath
  • geode:default
  • geode:compileClasspath
  • mongodb:runtimeClasspath
  • file:default
  • server:default
  • ubenchmark:jmhCompileClasspath
  • pig:runtimeClasspath
  • mongodb:compileClasspath
  • server:compileClasspath
  • redis:default
  • geode:runtimeClasspath
  • csv:compileClasspath
  • csv:runtimeClasspath
  • plus:default
  • pig:compileClasspath

Identifiers

py4j-0.10.7.jar

Description:

Py4J enables Python programs running in a Python interpreter to dynamically access Java objects in a Java Virtual Machine. Methods are called as if the Java objects resided in the Python interpreter and Java collections can be accessed through standard Python collection methods. Py4J also enables Java programs to call back Python objects.

License:

The New BSD License: http://www.opensource.org/licenses/bsd-license.html
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/net.sf.py4j/py4j/0.10.7/e733e888c2e798ea15802f12a9f3130949ca741f/py4j-0.10.7.jar
MD5: 51552359047812808cde255ef38e78d2
SHA1: e733e888c2e798ea15802f12a9f3130949ca741f
SHA256:49d1e3e86532a6c68c399fb83508603ebeeb9b942e0cf301db71c7987fd4dfcb
Referenced In Projects/Scopes:
  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • spark:runtimeClasspath

Identifiers

pyrolite-4.13.jar

Description:

This library allows your Java program to interface very easily with the Python world. It uses the Pyro protocol to call methods on remote objects. (See https://github.com/irmen/Pyro4). To that end, it also contains and uses a feature complete pickle protocol implementation -read and write- to exchange data with Pyro/Python.

Pyrolite only implements part of the client side Pyro library, hence its name 'lite'...  But because Pyrolite has no dependencies, it is a much lighter way to use Pyro from Java/.NET than a solution with jython+pyro or IronPython+Pyro would provide. So if you don't need Pyro's full feature set, and don't require your Java/.NET code to host Pyro objects itself, Pyrolite may be a good choice to connect java or .NET and python.
Version 4.13 can now register a custom pickler for inheritance tree of interfaces or abstract base class.

License:

MIT License: https://raw.githubusercontent.com/irmen/Pyrolite/master/LICENSE
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/net.razorvine/pyrolite/4.13/b71a4668b0c4194486832fe7ce161eed2d0d12cb/pyrolite-4.13.jar
MD5: b4ab074cb07e995bcbd203c72e5efa1d
SHA1: b71a4668b0c4194486832fe7ce161eed2d0d12cb
SHA256:4ba424d328cbd7a6ff73108cce40d3cc376eef602b947e57fdc782171d92e463
Referenced In Projects/Scopes:
  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • spark:runtimeClasspath

Identifiers

quidem-0.9.jar

Description:

Idempotent query scripts

License:

Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/net.hydromatic/quidem/0.9/207853540d6a2a8ede539fa570da6ab6ba427dc5/quidem-0.9.jar
MD5: 10525f465a02c3aa4a0536151cb10f15
SHA1: 207853540d6a2a8ede539fa570da6ab6ba427dc5
SHA256:b9cad3f7718cd4b4c513c489d195a35047624062cc07f52a054a2c8830e3f4ba
Referenced In Projects/Scopes:
  • calcite:sqllineClasspath
  • plus:compileClasspath
  • plus:default
  • plus:runtimeClasspath

Identifiers

rmiio-2.1.2.jar

Description:

IO related classes for streaming data over RMI

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/com.healthmarketscience.rmiio/rmiio/2.1.2/1d35887bc716bff6e51d7530bb5abf14fc211e70/rmiio-2.1.2.jar
MD5: 0a91a763604f68cbdcb6acc81a1de4b9
SHA1: 1d35887bc716bff6e51d7530bb5abf14fc211e70
SHA256:277163857431024c4279683a3df23032c15f3427d1e1b6567cd4d0dd6666e1e9
Referenced In Projects/Scopes:
  • calcite:sqllineClasspath
  • geode:default
  • geode:runtimeClasspath

Identifiers

scala-compiler-2.10.0.jar

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.scala-lang/scala-compiler/2.10.0/fec8066cd2b4f8dc7ff7ba7a8e0a792939d9f9a/scala-compiler-2.10.0.jar
MD5: 292c35cfba775896c36cbb9a045d2138
SHA1: 0fec8066cd2b4f8dc7ff7ba7a8e0a792939d9f9a
SHA256:31283efbb9f955449a1d28a6fba68f67df75a4da0828cd7605e7c28038365622
Referenced In Projects/Scopes:

  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • spark:runtimeClasspath

Identifiers

CVE-2017-15288  

The compilation daemon in Scala before 2.10.7, 2.11.x before 2.11.12, and 2.12.x before 2.12.4 uses weak permissions for private files in /tmp/scala-devel/${USER:shared}/scalac-compile-server-port, which allows local users to write to arbitrary class files and consequently gain privileges.
CWE-732 Incorrect Permission Assignment for Critical Resource

CVSSv2:
  • Base Score: HIGH (7.2)
  • Vector: /AV:L/AC:L/Au:N/C:C/I:C/A:C
CVSSv3:
  • Base Score: HIGH (7.8)
  • Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

scala-compiler-2.10.0.jar: diagrams.js

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.scala-lang/scala-compiler/2.10.0/fec8066cd2b4f8dc7ff7ba7a8e0a792939d9f9a/scala-compiler-2.10.0.jar/scala/tools/nsc/doc/html/resource/lib/diagrams.js
MD5: 58321351be7cf563cc8321f50f9f6ae1
SHA1: 85f3fafca7a08e014a90cd047a4114c95a3d43c9
SHA256:e815264202c67b4d796e6e38051e0870b42e805cf1fe7fd78fc4599ed48240df
Referenced In Projects/Scopes:

  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • spark:runtimeClasspath

Identifiers

  • None

scala-compiler-2.10.0.jar: index.js

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.scala-lang/scala-compiler/2.10.0/fec8066cd2b4f8dc7ff7ba7a8e0a792939d9f9a/scala-compiler-2.10.0.jar/scala/tools/nsc/doc/html/resource/lib/index.js
MD5: c68a4e1d74826c60d1d0875ab100fe96
SHA1: 080bad3733d5774c927852b4702175c45e9816ae
SHA256:2e2064634ca2cd7da676e1ef3ef8957f4f11d3df926eab2a9aa87dbbc3ca7e52
Referenced In Projects/Scopes:

  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • spark:runtimeClasspath

Identifiers

  • None

scala-compiler-2.10.0.jar: jquery-ui.js

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.scala-lang/scala-compiler/2.10.0/fec8066cd2b4f8dc7ff7ba7a8e0a792939d9f9a/scala-compiler-2.10.0.jar/scala/tools/nsc/doc/html/resource/lib/jquery-ui.js
MD5: 2e5cf7e1e4b6ad05bfb6aead63f372f9
SHA1: 81269986fe3d866d0430312c1dc18a718cc2d728
SHA256:f6c8f3c1c946e8a5b8d6e129c833fbd680159b53f2413e218675e0e9a72e6c2e
Referenced In Projects/Scopes:

  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • spark:runtimeClasspath

Identifiers

CVE-2010-5312  

Cross-site scripting (XSS) vulnerability in jquery.ui.dialog.js in the Dialog widget in jQuery UI before 1.10.0 allows remote attackers to inject arbitrary web script or HTML via the title option.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N

References:

Vulnerable Software & Versions (NVD):

  • cpe:2.3:a:jquery:jquery_ui:*:*:*:*:*:*:*:* versions up to (excluding) 1.10.0

CVE-2016-7103  

Cross-site scripting (XSS) vulnerability in jQuery UI before 1.12.0 might allow remote attackers to inject arbitrary web script or HTML via the closeText parameter of the dialog function.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions (NVD):

  • cpe:2.3:a:oracle:weblogic_server:10.3.6.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:application_express:*:*:*:*:*:*:*:* versions up to (excluding) 19.1
  • cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:* versions from (including) 16.0; versions up to (including) 16.2
  • cpe:2.3:a:redhat:openstack:7.0:*:*:*:*:*:*:*
  • cpe:2.3:a:redhat:openstack:9.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:* versions from (including) 18.0; versions up to (including) 18.8.4
  • cpe:2.3:a:redhat:openstack:8.0:*:*:*:*:*:*:*
  • cpe:2.3:a:jquery:jquery_ui:*:*:*:*:*:*:*:* versions from (including) 1.10.0; versions up to (including) 1.11.4
  • cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:weblogic_server:12.1.3.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:jquery:jquery_ui:1.10.0:beta1:*:*:*:*:*:*
  • cpe:2.3:a:jquery:jquery_ui:1.10.0:rc1:*:*:*:*:*:*
  • cpe:2.3:a:oracle:business_intelligence:12.2.1.3.0:*:*:*:enterprise:*:*:*
  • cpe:2.3:a:oracle:business_intelligence:12.2.1.4.0:*:*:*:enterprise:*:*:*
  • cpe:2.3:a:oracle:hospitality_cruise_fleet_management:9.0.11:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:* versions from (including) 17.0; versions up to (including) 17.12.4
  • cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:*:*:*

scala-compiler-2.10.0.jar: jquery.js

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.scala-lang/scala-compiler/2.10.0/fec8066cd2b4f8dc7ff7ba7a8e0a792939d9f9a/scala-compiler-2.10.0.jar/scala/tools/nsc/doc/html/resource/lib/jquery.js
MD5: 0b6ecf17e30037994d3ffee51b525914
SHA1: d09d3a99ed25d0f1fbe6856de9e14ffd33557256
SHA256:f554d2f09272c6f71447ebfe4532d3b1dd1959bce669f9a5ccc99e64ef511729
Referenced In Projects/Scopes:

  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • spark:runtimeClasspath

Identifiers

CVE-2012-6708  

jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with the '<' character, limiting exploitability only to attackers who can control the beginning of a string, which is far less common.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions (NVD):

  • cpe:2.3:a:jquery:jquery:*:*:*:*:*:*:*:* versions up to (excluding) 1.9.0

CVE-2015-9251  

jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions (NVD):

  • cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:* versions from (including) 8.0.0; versions up to (including) 8.0.7
  • cpe:2.3:a:oracle:communications_webrtc_session_controller:*:*:*:*:*:*:*:* versions up to (excluding) 7.2
  • cpe:2.3:a:oracle:banking_platform:2.6.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:hospitality_guest_access:4.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:oss_support_tools:19.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.55:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:fusion_middleware_mapviewer:12.2.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_unifier:16.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_customer_insights:16.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:business_process_management_suite:12.1.3.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_hedge_management_and_ifrs_valuations:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7
  • cpe:2.3:a:oracle:business_process_management_suite:12.2.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:jquery:jquery:*:*:*:*:*:*:*:* versions up to (excluding) 3.0.0
  • cpe:2.3:a:oracle:endeca_information_discovery_studio:3.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:endeca_information_discovery_studio:3.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_platform:2.6.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_workforce_management_software:1.60.9:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:* versions from (including) 7.3.3; versions up to (including) 7.3.5
  • cpe:2.3:a:oracle:communications_converged_application_server:*:*:*:*:*:*:*:* versions up to (excluding) 7.0.0.1
  • cpe:2.3:a:oracle:healthcare_foundation:7.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_gateway:17.12:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_liquidity_risk_management:*:*:*:*:*:*:*:* versions from (including) 8.0.2; versions up to (including) 8.0.6
  • cpe:2.3:a:oracle:retail_allocation:15.0.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:business_process_management_suite:11.1.1.9.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jdeveloper:12.1.3.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:* versions from (including) 17.1; versions up to (including) 17.12
  • cpe:2.3:a:oracle:enterprise_manager_ops_center:12.3.3:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:hospitality_guest_access:4.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_gateway:16.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_services_gatekeeper:*:*:*:*:*:*:*:* versions up to (excluding) 6.1.0.4.0
  • cpe:2.3:a:oracle:hospitality_cruise_fleet_management:9.0.11:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:hospitality_materials_control:18.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:utilities_mobile_workforce_management:2.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:utilities_framework:*:*:*:*:*:*:*:* versions from (including) 4.3.0.1; versions up to (including) 4.3.0.4
  • cpe:2.3:a:oracle:retail_sales_audit:15.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_interactive_session_recorder:6.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:healthcare_translational_research:3.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:enterprise_operations_monitor:4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_reconciliation_framework:8.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_funds_transfer_pricing:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7
  • cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_loan_loss_forecasting_and_provisioning:*:*:*:*:*:*:*:* versions from (including) 8.0.2; versions up to (including) 8.0.7
  • cpe:2.3:a:oracle:retail_customer_insights:15.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:webcenter_sites:11.1.1.8.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:healthcare_foundation:7.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_gateway:15.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:service_bus:12.2.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:enterprise_operations_monitor:3.4:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:service_bus:12.1.3.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.3.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:hospitality_reporting_and_analytics:9.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jdeveloper:12.2.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:enterprise_manager_ops_center:12.2.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:real-time_scheduler:2.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_invoice_matching:15.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_platform:2.6.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_asset_liability_management:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7
  • cpe:2.3:a:oracle:primavera_unifier:16.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_data_integration_hub:*:*:*:*:*:*:*:* versions from (including) 8.0.5; versions up to (including) 8.0.7
  • cpe:2.3:a:oracle:weblogic_server:12.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_reconciliation_framework:8.0.5:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.5:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_unifier:18.8:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:weblogic_server:12.2.1.3:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_workforce_management_software:1.64.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:5.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:siebel_ui_framework:18.10:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_interactive_session_recorder:6.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:5.5:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.56:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jdeveloper:11.1.1.9.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_profitability_management:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.6
  • cpe:2.3:a:oracle:siebel_ui_framework:18.11:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_interactive_session_recorder:6.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:5.4:*:*:*:*:*:*:*

CVE-2019-11358  

jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions (NVD):

  • cpe:2.3:a:oracle:financial_services_liquidity_risk_management:8.0.5.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_billing_and_revenue_management:7.5:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:* versions from (including) 8.0.2; versions up to (including) 8.1.0
  • cpe:2.3:a:oracle:healthcare_translational_research:3.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_data_foundation:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.8
  • cpe:2.3:a:oracle:jdeveloper_and_adf:12.1.3.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_element_manager:8.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.55:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_unifier:16.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:19.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:bi_publisher:12.2.1.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_customer_insights:16.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:siebel_ui_framework:20.8:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_digital_experience:18.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jdeveloper_and_adf:12.2.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:redhat:virtualization_manager:4.3:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:application_express:*:*:*:*:*:*:*:* versions up to (excluding) 19.1
  • cpe:2.3:a:oracle:application_testing_suite:13.1.0.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from (including) 19.12.0; versions up to (including) 19.12.4
  • cpe:2.3:a:oracle:healthcare_foundation:7.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:* versions from (including) 17.7; versions up to (including) 17.12
  • cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:diagnostic_assistant:2.12.36:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_session_report_manager:8.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:policy_automation:10.4.7:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:knowledge:*:*:*:*:*:*:*:* versions from (including) 8.6.0; versions up to (including) 8.6.3
  • cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_basic:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7
  • cpe:2.3:a:oracle:banking_digital_experience:18.3:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_liquidity_risk_management:8.0.0.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:healthcare_foundation:7.2.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_regulatory_reporting_for_de_nederlandsche_bank:8.0.4:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_operations_monitor:4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:healthcare_translational_research:3.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:transportation_management:1.4.3:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_loan_loss_forecasting_and_provisioning:*:*:*:*:*:*:*:* versions from (including) 8.0.2; versions up to (including) 8.0.7
  • cpe:2.3:a:redhat:cloudforms:4.7:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_revenue_management_and_billing:2.4.0.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:insurance_ifrs_17_analyzer:8.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:application_service_level_management:13.2.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:service_bus:12.2.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_liquidity_risk_management:8.0.4.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:service_bus:12.1.3.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_operations_monitor:3.4:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:rest_data_services:12.2.0.1:*:*:*:-:*:*:*
  • cpe:2.3:a:oracle:financial_services_asset_liability_management:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7
  • cpe:2.3:a:oracle:application_testing_suite:13.3:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_session_route_manager:8.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.5:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_unifier:18.8:*:*:*:*:*:*:*
  • cpe:2.3:a:backdropcms:backdrop:*:*:*:*:*:*:*:* versions from (including) 1.11.0; versions up to (excluding) 1.11.9
  • cpe:2.3:a:oracle:real-time_scheduler:*:*:*:*:*:*:*:* versions from (including) 2.3.0.1; versions up to (including) 2.3.0.3
  • cpe:2.3:a:oracle:jdeveloper_and_adf:11.1.1.9.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_retail_customer_analytics:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.6
  • cpe:2.3:a:oracle:service_bus:11.1.1.9.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:weblogic_server:12.1.3.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_liquidity_risk_measurement_and_management:8.0.8:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_digital_experience:19.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:healthcare_foundation:7.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:business_process_management_suite:12.2.1.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_central_office:14.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_regulatory_reporting_for_european_banking_authority:8.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_returns_management:14.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_regulatory_reporting_for_european_banking_authority:8.0.7:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_internal_ratings_based_approach:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7
  • cpe:2.3:a:oracle:enterprise_manager_ops_center:12.4.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_profitability_management:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_institutional_performance_analytics:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7
  • cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:*:*:*:*:*:*:*:* versions from (including) 5.0.0.0; versions up to (including) 5.6.0.0
  • cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_analytical_applications_reconciliation_framework:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7
  • cpe:2.3:a:oracle:communications_application_session_controller:3.8m0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:business_process_management_suite:12.2.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_diameter_signaling_router:8.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_session_report_manager:8.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:* versions from (including) 7.3.3; versions up to (including) 7.3.5
  • cpe:2.3:a:oracle:financial_services_price_creation_and_discovery:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7
  • cpe:2.3:a:oracle:rest_data_services:18c:*:*:*:-:*:*:*
  • cpe:2.3:a:oracle:communications_session_report_manager:8.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:18.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:enterprise_manager_ops_center:12.3.3:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_enterprise_financial_performance_analytics:8.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_analytics:12.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_liquidity_risk_measurement_and_management:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:hospitality_guest_access:4.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_point-of-service:14.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_retail_performance_analytics:8.0.7:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:policy_automation:12.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:hospitality_materials_control:18.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:5.6.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_billing_and_revenue_management:7.5.0.23.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_unified_inventory_management:7.3:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_funds_transfer_pricing:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7
  • cpe:2.3:a:oracle:retail_back_office:14.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:rest_data_services:12.1.0.2:*:*:*:-:*:*:*
  • cpe:2.3:a:oracle:healthcare_translational_research:3.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:policy_automation_connector_for_siebel:10.4.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:hospitality_simphony:*:*:*:*:*:*:*:* versions from (including) 19.1.0; versions up to (including) 19.1.2
  • cpe:2.3:a:oracle:policy_automation_for_mobile_devices:*:*:*:*:*:*:*:* versions from (including) 12.2.0; versions up to (including) 12.2.15
  • cpe:2.3:a:oracle:hospitality_simphony:18.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_unifier:16.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:application_service_level_management:13.3.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:application_testing_suite:13.2.0.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:webcenter_sites:12.2.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 8.6.0; versions up to (excluding) 8.6.15
  • cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:healthcare_translational_research:3.3.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.56:*:*:*:*:*:*:*
  • cpe:2.3:a:jquery:jquery:*:*:*:*:*:*:*:* versions up to (excluding) 3.4.0
  • cpe:2.3:a:oracle:communications_interactive_session_recorder:*:*:*:*:*:*:*:* versions from (including) 6.0; versions up to (including) 6.4
  • cpe:2.3:a:oracle:communications_session_route_manager:8.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_diameter_signaling_router:8.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_loan_loss_forecasting_and_provisioning:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_digital_experience:18.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_hedge_management_and_ifrs_valuations:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7
  • cpe:2.3:a:oracle:financial_services_data_integration_hub:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_element_manager:8.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:application_testing_suite:12.5.0.3:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:policy_automation:12.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:application_testing_suite:13.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_operations_monitor:4.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_diameter_signaling_router:8.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:storagetek_tape_analytics_sw_tool:2.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:insurance_performance_insight:8.0.7:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_platform:*:*:*:*:*:*:*:* versions from (including) 2.4.0; versions up to (including) 2.10.0
  • cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from (including) 16.2.0; versions up to (including) 16.2.11
  • cpe:2.3:a:oracle:communications_billing_and_revenue_management:12.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from (including) 17.12.0; versions up to (including) 17.12.7
  • cpe:2.3:a:oracle:jdeveloper:12.2.1.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_point-of-service:14.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_enterprise_financial_performance_analytics:8.0.7:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:rest_data_services:11.2.0.4:*:*:*:-:*:*:*
  • cpe:2.3:a:oracle:insurance_allocation_manager_for_enterprise_profitability:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:policy_automation:*:*:*:*:*:*:*:* versions from (including) 12.2.0; versions up to (including) 12.2.15
  • cpe:2.3:a:oracle:retail_customer_insights:15.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_profitability_management:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7
  • cpe:2.3:a:oracle:big_data_discovery:1.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:insurance_ifrs_17_analyzer:8.0.7:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_liquidity_risk_measurement_and_management:8.0.7:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.8:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:insurance_allocation_manager_for_enterprise_profitability:8.0.8:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_data_governance_for_us_regulatory_reporting:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.0.9
  • cpe:2.3:a:oracle:weblogic_server:10.3.6.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_enterprise_collections:*:*:*:*:*:*:*:* versions from (including) 2.7.0; versions up to (including) 2.8.0
  • cpe:2.3:a:oracle:system_utilities:19.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_digital_experience:20.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:tape_library_acsls:8.5.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:healthcare_foundation:7.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_revenue_management_and_billing:2.4.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from (including) 18.8.0; versions up to (including) 18.8.9
  • cpe:2.3:a:oracle:retail_returns_management:14.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:application_testing_suite:13.3.0.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_basic:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_digital_experience:19.1:*:*:*:*:*:*:*
  • cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 7.0; versions up to (excluding) 7.66
  • cpe:2.3:a:oracle:rest_data_services:19c:*:*:*:-:*:*:*
  • cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_central_office:14.1:*:*:*:*:*:*:*
  • cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 8.5.0; versions up to (excluding) 8.5.15
  • cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:insurance_data_foundation:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7
  • cpe:2.3:a:netapp:oncommand_system_manager:*:*:*:*:*:*:*:* versions from (including) 3.0; versions up to (including) 3.1.3
  • cpe:2.3:a:oracle:hospitality_guest_access:4.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:fusion_middleware_mapviewer:12.2.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:enterprise_session_border_controller:8.4:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_funds_transfer_pricing:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:insurance_accounting_analyzer:8.0.9:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_retail_performance_analytics:8.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_session_route_manager:8.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_diameter_signaling_router:8.2:*:*:*:*:*:*:*
  • cpe:2.3:a:backdropcms:backdrop:*:*:*:*:*:*:*:* versions from (including) 1.12.0; versions up to (excluding) 1.12.6
  • cpe:2.3:a:oracle:communications_element_manager:8.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_gateway:15.2.18:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_regulatory_reporting_for_us_federal_reserve:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7
  • cpe:2.3:a:oracle:financial_services_liquidity_risk_management:8.0.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_analytical_applications_reconciliation_framework:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_webrtc_session_controller:7.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:enterprise_manager_ops_center:12.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_asset_liability_management:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:hospitality_simphony:18.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_hedge_management_and_ifrs_valuations:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_institutional_performance_analytics:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jdeveloper:12.2.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_balance_sheet_planning:8.0.8:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_data_integration_hub:*:*:*:*:*:*:*:* versions from (including) 8.0.5; versions up to (including) 8.0.7
  • cpe:2.3:a:oracle:communications_operations_monitor:*:*:*:*:*:*:*:* versions from (including) 4.1; versions up to (including) 4.3
  • cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_billing_and_revenue_management:12.0.0.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_internal_ratings_based_approach:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:bi_publisher:5.5.0.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:bi_publisher:12.2.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_liquidity_risk_management:8.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:opensuse:backports_sle:15.0:sp1:*:*:*:*:*:*
  • cpe:2.3:a:oracle:tape_library_acsls:8.5:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:siebel_mobile_applications:*:*:*:*:*:*:*:* versions up to (including) 19.8
  • cpe:2.3:a:oracle:retail_back_office:14.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jdeveloper:11.1.1.9.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:healthcare_translational_research:3.3.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:utilities_mobile_workforce_management:*:*:*:*:*:*:*:* versions from (including) 2.3.0.1; versions up to (including) 2.3.0.3

CVE-2020-11022  

In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions (NVD):

  • cpe:2.3:a:oracle:financial_services_price_creation_and_discovery:8.0.7:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:agile_product_supplier_collaboration_for_process:6.2.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_loan_loss_forecasting_and_provisioning:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:19.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:siebel_ui_framework:20.8:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_digital_experience:18.2:*:*:*:*:*:*:*
  • cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_digital_experience:18.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_data_integration_hub:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_regulatory_reporting_for_european_banking_authority:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.1.0
  • cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 8.8.0; versions up to (excluding) 8.8.6
  • cpe:2.3:a:oracle:financial_services_price_creation_and_discovery:8.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:healthcare_foundation:7.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_institutional_performance_analytics:8.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_profitability_management:8.0.7:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jdeveloper:12.2.1.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_institutional_performance_analytics:8.0.7:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_profitability_management:8.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_digital_experience:18.3:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:insurance_allocation_manager_for_enterprise_profitability:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_asset_liability_management:8.0.7:*:*:*:*:*:*:*
  • cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 7.0; versions up to (excluding) 7.70
  • cpe:2.3:a:oracle:policy_automation_for_mobile_devices:*:*:*:*:*:*:*:* versions from (including) 12.2.0; versions up to (including) 12.2.20
  • cpe:2.3:a:oracle:financial_services_liquidity_risk_measurement_and_management:8.0.7:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.8:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:insurance_allocation_manager_for_enterprise_profitability:8.0.8:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_data_governance_for_us_regulatory_reporting:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.0.9
  • cpe:2.3:a:oracle:weblogic_server:10.3.6.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_digital_experience:20.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:healthcare_foundation:7.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_analytical_applications_reconciliation_framework:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.0.8
  • cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_internal_ratings_based_approach:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.0.8
  • cpe:2.3:a:oracle:retail_returns_management:14.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:weblogic_server:12.1.3.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_liquidity_risk_measurement_and_management:8.0.8:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_digital_experience:19.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:healthcare_foundation:7.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:application_testing_suite:13.3.0.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:* versions from (including) 8.0.6.0.0; versions up to (including) 8.1.0.0.0
  • cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_basic:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_digital_experience:19.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_returns_management:14.0:*:*:*:*:*:*:*
  • cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:*:*:*
  • cpe:2.3:a:netapp:snap_creator_framework:-:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:enterprise_manager_ops_center:12.4.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_regulatory_reporting_for_us_federal_reserve:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.0.9
  • cpe:2.3:a:oracle:financial_services_profitability_management:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:*:*:*:*:*:*:*:* versions from (including) 5.0.0.0; versions up to (including) 5.6.0.0
  • cpe:2.3:a:netapp:max_data:-:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:insurance_data_foundation:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.1.0
  • cpe:2.3:a:netapp:oncommand_system_manager:*:*:*:*:*:*:*:* versions from (including) 3.0; versions up to (including) 3.1.3
  • cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:enterprise_session_border_controller:8.4:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:healthcare_foundation:7.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_funds_transfer_pricing:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_application_session_controller:3.8m0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_basic:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.0.8
  • cpe:2.3:a:oracle:insurance_accounting_analyzer:8.0.9:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_hedge_management_and_ifrs_valuations:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.0.8
  • cpe:2.3:a:oracle:financial_services_liquidity_risk_measurement_and_management:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_asset_liability_management:8.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:hospitality_materials_control:18.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:5.6.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_billing_and_revenue_management:7.5.0.23.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:policy_automation:*:*:*:*:*:*:*:* versions from (including) 12.2.0; versions up to (including) 12.2.20
  • cpe:2.3:a:oracle:communications_diameter_signaling_router_idih\::*:*:*:*:*:*:*:* versions from (including) 8.0.0; versions up to (including) 8.2.2
  • cpe:2.3:a:oracle:financial_services_funds_transfer_pricing:8.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_analytical_applications_reconciliation_framework:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_back_office:14.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_webrtc_session_controller:7.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:policy_automation_connector_for_siebel:10.4.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_asset_liability_management:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:hospitality_simphony:*:*:*:*:*:*:*:* versions from (including) 19.1.0; versions up to (including) 19.1.2
  • cpe:2.3:a:oracle:hospitality_simphony:18.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_hedge_management_and_ifrs_valuations:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_institutional_performance_analytics:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jdeveloper:12.2.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_balance_sheet_planning:8.0.8:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_loan_loss_forecasting_and_provisioning:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.0.8
  • cpe:2.3:a:oracle:hospitality_simphony:18.2:*:*:*:*:*:*:*
  • cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 8.7.0; versions up to (excluding) 8.7.14
  • cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_billing_and_revenue_management:12.0.0.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_funds_transfer_pricing:8.0.7:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_internal_ratings_based_approach:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_liquidity_risk_management:8.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.56:*:*:*:*:*:*:*
  • cpe:2.3:a:jquery:jquery:*:*:*:*:*:*:*:* versions from (including) 1.2; versions up to (excluding) 3.5.0
  • cpe:2.3:a:oracle:financial_services_data_integration_hub:8.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_back_office:14.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jdeveloper:11.1.1.9.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_data_integration_hub:8.0.7:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_data_foundation:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.1.0

CVE-2020-11023  

In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing <option> elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions (NVD):

  • cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:healthcare_translational_research:3.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_element_manager:8.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:netapp:max_data:-:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_session_route_manager:8.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:netapp:oncommand_system_manager:*:*:*:*:*:*:*:* versions from (including) 3.0; versions up to (including) 3.1.3
  • cpe:2.3:a:netapp:snapcenter_server:-:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jd_edwards_enterpriseone_orchestrator:*:*:*:*:*:*:*:* versions up to (excluding) 9.2.5.0
  • cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:siebel_mobile:*:*:*:*:*:*:*:* versions up to (including) 20.12
  • cpe:2.3:a:oracle:hyperion_financial_reporting:11.1.2.4:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_session_report_manager:8.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_element_manager:8.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 8.8.0; versions up to (excluding) 8.8.6
  • cpe:2.3:a:oracle:communications_session_route_manager:8.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from (including) 16.2; versions up to (including) 16.2.11
  • cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from (including) 19.12.0; versions up to (including) 19.12.4
  • cpe:2.3:a:oracle:rest_data_services:18c:*:*:*:-:*:*:*
  • cpe:2.3:a:oracle:communications_element_manager:8.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_session_report_manager:8.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_platform:*:*:*:*:*:*:*:* versions from (including) 2.4.0; versions up to (including) 2.10.0
  • cpe:2.3:a:oracle:communications_analytics:12.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_session_report_manager:8.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from (including) 17.12.0; versions up to (including) 17.12.7
  • cpe:2.3:a:jquery:jquery:*:*:*:*:*:*:*:* versions from (including) 1.0.3; versions up to (excluding) 3.5.0
  • cpe:2.3:a:oracle:rest_data_services:11.2.0.4:*:*:*:-:*:*:*
  • cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:*:*:*:*:*:*:*:* versions up to (excluding) 9.2.5.0
  • cpe:2.3:a:oracle:financial_services_regulatory_reporting_for_de_nederlandsche_bank:8.0.4:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:storagetek_tape_analytics_sw_tool:2.3.1:*:*:*:*:*:*:*
  • cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 7.0; versions up to (excluding) 7.70
  • cpe:2.3:a:oracle:rest_data_services:12.1.0.2:*:*:*:-:*:*:*
  • cpe:2.3:a:oracle:healthcare_translational_research:3.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_operations_monitor:3.4:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:rest_data_services:12.2.0.1:*:*:*:-:*:*:*
  • cpe:2.3:a:oracle:banking_enterprise_collections:*:*:*:*:*:*:*:* versions from (including) 2.7.0; versions up to (including) 2.8.0
  • cpe:2.3:a:oracle:communications_session_route_manager:8.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 8.7.0; versions up to (excluding) 8.7.14
  • cpe:2.3:a:oracle:communications_operations_monitor:*:*:*:*:*:*:*:* versions from (including) 4.1; versions up to (including) 4.3
  • cpe:2.3:a:oracle:webcenter_sites:12.2.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:webcenter_sites:12.2.1.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:peoplesoft_enterprise_human_capital_management_resources:9.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from (including) 18.8.0; versions up to (including) 18.8.9
  • cpe:2.3:a:oracle:weblogic_server:12.1.3.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:healthcare_translational_research:3.3.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:application_express:*:*:*:*:*:*:*:* versions up to (excluding) 20.2
  • cpe:2.3:a:oracle:application_testing_suite:13.3.0.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:healthcare_translational_research:3.3.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_interactive_session_recorder:*:*:*:*:*:*:*:* versions from (including) 6.1; versions up to (including) 6.4
  • cpe:2.3:a:oracle:rest_data_services:19c:*:*:*:-:*:*:*
  • cpe:2.3:a:netapp:snap_creator_framework:-:*:*:*:*:*:*:*

scala-compiler-2.10.0.jar: jquery.layout.js

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.scala-lang/scala-compiler/2.10.0/fec8066cd2b4f8dc7ff7ba7a8e0a792939d9f9a/scala-compiler-2.10.0.jar/scala/tools/nsc/doc/html/resource/lib/jquery.layout.js
MD5: ba42679ab5ce86e54d4f3d4d480e6609
SHA1: 0be8c667d43687590cf3ec3abb8b47c4349453ac
SHA256:0bd0f3fd24187c12afef6fdadc45829e8397bd86bf350bfab966c090203a657c
Referenced In Projects/Scopes:

  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • spark:runtimeClasspath

Identifiers

  • None

scala-compiler-2.10.0.jar: modernizr.custom.js

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.scala-lang/scala-compiler/2.10.0/fec8066cd2b4f8dc7ff7ba7a8e0a792939d9f9a/scala-compiler-2.10.0.jar/scala/tools/nsc/doc/html/resource/lib/modernizr.custom.js
MD5: 350aeacb2780a90495094db70b7a6d21
SHA1: 0b78efd666ca58b71e87d86e83f4768ce51d6348
SHA256:d7ba4db2f617af853ad324e7e1a012c43f14ec7436afad430794bb1fe11f7e99
Referenced In Projects/Scopes:

  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • spark:runtimeClasspath

Identifiers

  • None

scala-compiler-2.10.0.jar: raphael-min.js

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.scala-lang/scala-compiler/2.10.0/fec8066cd2b4f8dc7ff7ba7a8e0a792939d9f9a/scala-compiler-2.10.0.jar/scala/tools/nsc/doc/html/resource/lib/raphael-min.js
MD5: ffd330bd214b7b0a8e14e613765b606e
SHA1: bfd83096d2178219ccd3f8fc592ae41cdf4e822e
SHA256:bc48ca793c3d326ffb5dc26272f0080516416bb772bf97072f0ee44ef0902d4a
Referenced In Projects/Scopes:

  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • spark:runtimeClasspath

Identifiers

  • None

scala-compiler-2.10.0.jar: scheduler.js

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.scala-lang/scala-compiler/2.10.0/fec8066cd2b4f8dc7ff7ba7a8e0a792939d9f9a/scala-compiler-2.10.0.jar/scala/tools/nsc/doc/html/resource/lib/scheduler.js
MD5: c8935628dd9136fbd393272f5ad4ddcf
SHA1: 3bfb402f3c98e5f16614849b2fef101d86dfd36e
SHA256:fc3f0dfd8c921b1bc7fe81ccc488cc019bdff330aa0ba82651c857acde10db15
Referenced In Projects/Scopes:

  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • spark:runtimeClasspath

Identifiers

  • None

scala-compiler-2.10.0.jar: template.js

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.scala-lang/scala-compiler/2.10.0/fec8066cd2b4f8dc7ff7ba7a8e0a792939d9f9a/scala-compiler-2.10.0.jar/scala/tools/nsc/doc/html/resource/lib/template.js
MD5: b30b730f804d5afceee582903f4cc26e
SHA1: b5724b735c3e4e60e827417232be78831584ff70
SHA256:93021a12c274f65eeaf7bd3c81dd560e1d2a3de0e00f82104d575e344feacfb0
Referenced In Projects/Scopes:

  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • spark:runtimeClasspath

Identifiers

  • None

scala-compiler-2.10.0.jar: tools.tooltip.js

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.scala-lang/scala-compiler/2.10.0/fec8066cd2b4f8dc7ff7ba7a8e0a792939d9f9a/scala-compiler-2.10.0.jar/scala/tools/nsc/doc/html/resource/lib/tools.tooltip.js
MD5: 03e77aac18ea20591d845ec76dff56de
SHA1: a792987be027c6076ba530129452482556515a9a
SHA256:57e3a83e9784ff5d76bead2740133ef115fd29eb76fc9a77f151f4674430048e
Referenced In Projects/Scopes:

  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • spark:runtimeClasspath

Identifiers

  • None

scala-library-2.10.7.jar

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.scala-lang/scala-library/2.10.7/ac1add55906d5b811e4dee996fc9c8fc6da6bf59/scala-library-2.10.7.jar
MD5: 627b4232273c9d657cbb5b0a57f48e1e
SHA1: ac1add55906d5b811e4dee996fc9c8fc6da6bf59
SHA256:691193f773eb114db18b48e94132612f4d910f11efd36c2f1547e636db96e4e5
Referenced In Projects/Scopes:

  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • spark:runtimeClasspath

Identifiers

scala-reflect-2.10.0.jar

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.scala-lang/scala-reflect/2.10.0/10ec1256a6e875e886fec050edb0669166912d0d/scala-reflect-2.10.0.jar
MD5: 807058212d45c796f30a4f6ff26acb02
SHA1: 10ec1256a6e875e886fec050edb0669166912d0d
SHA256:84bae8ce3b369febb9436fe36ed9b9d7dcc51af2cc9b8a3317a33124cfd5d4a9
Referenced In Projects/Scopes:

  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • spark:runtimeClasspath

Identifiers

CVE-2017-15288  

The compilation daemon in Scala before 2.10.7, 2.11.x before 2.11.12, and 2.12.x before 2.12.4 uses weak permissions for private files in /tmp/scala-devel/${USER:shared}/scalac-compile-server-port, which allows local users to write to arbitrary class files and consequently gain privileges.
CWE-732 Incorrect Permission Assignment for Critical Resource

CVSSv2:
  • Base Score: HIGH (7.2)
  • Vector: /AV:L/AC:L/Au:N/C:C/I:C/A:C
CVSSv3:
  • Base Score: HIGH (7.8)
  • Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

scalap-2.10.0.jar

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.scala-lang/scalap/2.10.0/ab42ae21d1fd7311b367fe3d7f33343f2e4bff6b/scalap-2.10.0.jar
MD5: 35720575a68e8553e8783dc5e7284758
SHA1: ab42ae21d1fd7311b367fe3d7f33343f2e4bff6b
SHA256:ca6e4c7a413af3ae9bf2685b6b637e117209bdb795f73e744136b7ed296ea950
Referenced In Projects/Scopes:

  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • spark:runtimeClasspath

Identifiers

scott-data-hsqldb-0.1.jar

Description:

Scott data set in hsqldb format

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/net.hydromatic/scott-data-hsqldb/0.1/3dd0f7ea938b2d146867d4e9f270b464a46e4543/scott-data-hsqldb-0.1.jar
MD5: bccf5e8193522f2b2691c2decf2f04db
SHA1: 3dd0f7ea938b2d146867d4e9f270b464a46e4543
SHA256:6f12fc6f1d917169852b9d68ae1d9830061d15836a9e52a10daf28220c85e6d6
Referenced In Project/Scope:calcite:sqllineClasspath

Identifiers

serializer-2.7.1.jar

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/xalan/serializer/2.7.1/4b4b18df434451249bb65a63f2fb69e215a6a020/serializer-2.7.1.jar
MD5: a6b64dfe58229bdd810263fa0cc54cff
SHA1: 4b4b18df434451249bb65a63f2fb69e215a6a020
SHA256:a15078d243d4a20b6b4e8ae2f61ed4655e352054e121aada6f7441f1ed445a3c
Referenced In Projects/Scopes:

  • calcite:sqllineClasspath
  • spark:default
  • spark:runtimeClasspath

Identifiers

CVE-2014-0107 (OSSINDEX)  

The TransformerFactory in Apache Xalan-Java before 2.7.2 does not properly restrict access to certain properties when FEATURE_SECURE_PROCESSING is enabled, which allows remote attackers to bypass expected restrictions and load arbitrary classes or access external resources via a crafted (1) xalan:content-header, (2) xalan:entities, (3) xslt:content-header, or (4) xslt:entities property, or a Java property that is bound to the XSLT 1.0 system-property function.
CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:xalan:serializer:2.7.1:*:*:*:*:*:*:*

servlet-api-2.5-20081211.jar

Description:

Servlet Specification API

License:

http://www.apache.org/licenses/LICENSE-2.0
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.mortbay.jetty/servlet-api/2.5-20081211/22bff70037e1e6fa7e6413149489552ee2064702/servlet-api-2.5-20081211.jar
MD5: 083898d794cc261853922ca941aee390
SHA1: 22bff70037e1e6fa7e6413149489552ee2064702
SHA256:068756096996fe00f604ac3b6672d6f663dc777ea4a83056e240d0456e77e472
Referenced In Projects/Scopes:
  • piglet:compileClasspath
  • piglet:runtimeClasspath
  • calcite:sqllineClasspath
  • pig:runtimeClasspath
  • piglet:default
  • pig:default
  • pig:compileClasspath

Identifiers

CVE-2005-3747  

Unspecified vulnerability in Jetty before 5.1.6 allows remote attackers to obtain source code of JSP pages, possibly involving requests for .jsp files with URL-encoded backslash ("%5C") characters.  NOTE: this might be the same issue as CVE-2006-2758.
NVD-CWE-noinfo, CWE-200 Information Exposure

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2007-5615  

CRLF injection vulnerability in Mortbay Jetty before 6.1.6rc0 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.
CWE-94 Improper Control of Generation of Code ('Code Injection')

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N

References:

Vulnerable Software & Versions:

CVE-2009-1523  

Directory traversal vulnerability in the HTTP server in Mort Bay Jetty 5.1.14, 6.x before 6.1.17, and 7.x through 7.0.0.M2 allows remote attackers to access arbitrary files via directory traversal sequences in the URI.
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2009-1524  

Cross-site scripting (XSS) vulnerability in Mort Bay Jetty before 6.1.17 allows remote attackers to inject arbitrary web script or HTML via a directory listing request containing a ; (semicolon) character.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2009-5048  

Cookie Dump Servlet stored XSS vulnerability in jetty though 6.1.20.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions:

CVE-2009-5049  

WebApp JSP Snoop page XSS in jetty though 6.1.21.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions:

servlet-api-2.5-6.1.14.jar

Description:

Servlet Specification 2.5 API

License:

CDDL 1.0: https://glassfish.dev.java.net/public/CDDLv1.0.html
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.mortbay.jetty/servlet-api-2.5/6.1.14/5f07601ab7d7c85dd9e38a17c0e1b0edfbd4a191/servlet-api-2.5-6.1.14.jar
MD5: 0e13653c2c2b081afe8f92331d81ffa7
SHA1: 5f07601ab7d7c85dd9e38a17c0e1b0edfbd4a191
SHA256:0ed33ee3051866a3a6331976cdf5098a36aefd16ec1fa2d836eb067e37d46d47
Referenced In Projects/Scopes:
  • piglet:compileClasspath
  • piglet:runtimeClasspath
  • calcite:sqllineClasspath
  • pig:runtimeClasspath
  • piglet:default
  • pig:default
  • pig:compileClasspath

Identifiers

CVE-2009-1523  

Directory traversal vulnerability in the HTTP server in Mort Bay Jetty 5.1.14, 6.x before 6.1.17, and 7.x through 7.0.0.M2 allows remote attackers to access arbitrary files via directory traversal sequences in the URI.
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2009-1524  

Cross-site scripting (XSS) vulnerability in Mort Bay Jetty before 6.1.17 allows remote attackers to inject arbitrary web script or HTML via a directory listing request containing a ; (semicolon) character.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2009-4609  

The Dump Servlet in Mort Bay Jetty 6.x and 7.0.0 allows remote attackers to obtain sensitive information about internal variables and other data via a request to a URI ending in /dump/, as demonstrated by discovering the value of the getPathTranslated variable.
CWE-200 Information Exposure

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2009-4610  

Multiple cross-site scripting (XSS) vulnerabilities in Mort Bay Jetty 6.x and 7.0.0 allow remote attackers to inject arbitrary web script or HTML via (1) the query string to jsp/dump.jsp in the JSP Dump feature, or the (2) Name or (3) Value parameter to the default URI for the Session Dump Servlet under session/.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2009-4611  

Mort Bay Jetty 6.x through 6.1.22 and 7.0.0 writes backtrace data without sanitizing non-printable characters, which might allow remote attackers to modify a window's title, or possibly execute arbitrary commands or overwrite files, via an HTTP request containing an escape sequence for a terminal emulator, related to (1) a string value in the Age parameter to the default URI for the Cookie Dump Servlet in test-jetty-webapp/src/main/java/com/acme/CookieDump.java under cookie/, (2) an alphabetic value in the A parameter to jsp/expr.jsp, or (3) an alphabetic value in the Content-Length HTTP header to an arbitrary application.
CWE-20 Improper Input Validation

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P

References:

Vulnerable Software & Versions: (show all)

CVE-2009-4612  

Multiple cross-site scripting (XSS) vulnerabilities in the WebApp JSP Snoop page in Mort Bay Jetty 6.1.x through 6.1.21 allow remote attackers to inject arbitrary web script or HTML via the PATH_INFO to the default URI under (1) jspsnoop/, (2) jspsnoop/ERROR/, and (3) jspsnoop/IOException/, and possibly the PATH_INFO to (4) snoop.jsp.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2009-5048  

Cookie Dump Servlet stored XSS vulnerability in jetty though 6.1.20.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions:

CVE-2009-5049  

WebApp JSP Snoop page XSS in jetty though 6.1.21.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions:

CVE-2011-4461  

Jetty 8.1.0.RC2 and earlier computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters.
CWE-310 Cryptographic Issues

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

References:

Vulnerable Software & Versions: (show all)

servlet-api-2.5.jar

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/javax.servlet/servlet-api/2.5/5959582d97d8b61f4d154ca9e495aafd16726e34/servlet-api-2.5.jar
MD5: 69ca51af4e9a67a1027a7f95b52c3e8f
SHA1: 5959582d97d8b61f4d154ca9e495aafd16726e34
SHA256:c658ea360a70faeeadb66fb3c90a702e4142a0ab7768f9ae9828678e0d9ad4dc
Referenced In Projects/Scopes:

  • piglet:compileClasspath
  • piglet:runtimeClasspath
  • calcite:sqllineClasspath
  • piglet:default

Identifiers

shiro-cache-1.4.0.jar

Description:

Apache Shiro is a powerful and flexible open-source security framework that cleanly handles        authentication, authorization, enterprise session management, single sign-on and cryptography services.

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.shiro/shiro-cache/1.4.0/ae1496cbdc4cce35c87d9014723863e049f9e2b4/shiro-cache-1.4.0.jar
MD5: 1424b34527e464edb0c42f74ce68876e
SHA1: ae1496cbdc4cce35c87d9014723863e049f9e2b4
SHA256:abab87532d6139cea5a48aee34a20daa15757917a65c7032976fdc014dd4c46a
Referenced In Projects/Scopes:
  • calcite:sqllineClasspath
  • geode:default
  • geode:compileClasspath
  • geode:runtimeClasspath

Identifiers

CVE-2019-12422  

Apache Shiro before 1.4.2, when using the default "remember me" configuration, cookies could be susceptible to a padding attack.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions:

CVE-2020-11989  

Apache Shiro before 1.5.3, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass.
CWE-287 Improper Authentication

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions:

CVE-2020-13933  

Apache Shiro before 1.6.0, when using Apache Shiro, a specially crafted HTTP request may cause an authentication bypass.
CWE-287 Improper Authentication

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions:

CVE-2020-17510  

Apache Shiro before 1.7.0, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass.
CWE-306 Missing Authentication for Critical Function

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions:

CVE-2020-17523  

Apache Shiro before 1.7.1, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass.
CWE-863 Incorrect Authorization

CVSSv2:
  • Base Score: HIGH (9.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:C
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions:

CVE-2020-1957  

Apache Shiro before 1.5.2, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass.
CWE-287 Improper Authentication

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions:

shiro-config-core-1.4.0.jar

Description:

Apache Shiro is a powerful and flexible open-source security framework that cleanly handles        authentication, authorization, enterprise session management, single sign-on and cryptography services.

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.shiro/shiro-config-core/1.4.0/7d7ede51d15d346d962da9a3743064ddc9163b1d/shiro-config-core-1.4.0.jar
MD5: e0a4f21cff332ce5debddd7633b7d243
SHA1: 7d7ede51d15d346d962da9a3743064ddc9163b1d
SHA256:77e2cf1d210f334cba0e8902d01fd2acbf61b599c39c6cf023241fc6784a82a0
Referenced In Projects/Scopes:
  • calcite:sqllineClasspath
  • geode:default
  • geode:compileClasspath
  • geode:runtimeClasspath

Identifiers

CVE-2019-12422  

Apache Shiro before 1.4.2, when using the default "remember me" configuration, cookies could be susceptible to a padding attack.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions:

CVE-2020-11989  

Apache Shiro before 1.5.3, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass.
CWE-287 Improper Authentication

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions:

CVE-2020-13933  

Apache Shiro before 1.6.0, when using Apache Shiro, a specially crafted HTTP request may cause an authentication bypass.
CWE-287 Improper Authentication

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions:

CVE-2020-17510  

Apache Shiro before 1.7.0, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass.
CWE-306 Missing Authentication for Critical Function

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions:

CVE-2020-17523  

Apache Shiro before 1.7.1, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass.
CWE-863 Incorrect Authorization

CVSSv2:
  • Base Score: HIGH (9.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:C
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions:

CVE-2020-1957  

Apache Shiro before 1.5.2, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass.
CWE-287 Improper Authentication

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions:

shiro-config-ogdl-1.4.0.jar

Description:

Support for Shiro's Object Graph Definition Language (mostly used in Ini configuration) where
        declared name/value pairs are interpreted to create an object graph

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.shiro/shiro-config-ogdl/1.4.0/28c5f1338030eed8f911f0a816a5ef2716f786a6/shiro-config-ogdl-1.4.0.jar
MD5: 1a3efbe65e8e5b20f540fcf8a73c13c4
SHA1: 28c5f1338030eed8f911f0a816a5ef2716f786a6
SHA256:d21bf04b78c69748db2fcf0315df00347bda43b65ef0aa83a7e496070c8e34f9
Referenced In Projects/Scopes:
  • calcite:sqllineClasspath
  • geode:default
  • geode:compileClasspath
  • geode:runtimeClasspath

Identifiers

CVE-2019-12422  

Apache Shiro before 1.4.2, when using the default "remember me" configuration, cookies could be susceptible to a padding attack.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions:

CVE-2020-11989  

Apache Shiro before 1.5.3, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass.
CWE-287 Improper Authentication

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions:

CVE-2020-13933  

Apache Shiro before 1.6.0, when using Apache Shiro, a specially crafted HTTP request may cause an authentication bypass.
CWE-287 Improper Authentication

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions:

CVE-2020-17510  

Apache Shiro before 1.7.0, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass.
CWE-306 Missing Authentication for Critical Function

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions:

CVE-2020-17523  

Apache Shiro before 1.7.1, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass.
CWE-863 Incorrect Authorization

CVSSv2:
  • Base Score: HIGH (9.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:C
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions:

CVE-2020-1957  

Apache Shiro before 1.5.2, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass.
CWE-287 Improper Authentication

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions:

shiro-core-1.4.0.jar

Description:

Apache Shiro is a powerful and flexible open-source security framework that cleanly handles        authentication, authorization, enterprise session management, single sign-on and cryptography services.

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.shiro/shiro-core/1.4.0/6d05bd17e057fc12d278bb367c27f9cb0f3dc197/shiro-core-1.4.0.jar
MD5: 1268db1dcfc96e6ad1a297bda1e03eea
SHA1: 6d05bd17e057fc12d278bb367c27f9cb0f3dc197
SHA256:1c1aa41af7a3314678154ff0456d7592bbd00f298ce3a94a417a1bd4bcfd1104
Referenced In Projects/Scopes:
  • calcite:sqllineClasspath
  • geode:default
  • geode:compileClasspath
  • geode:runtimeClasspath

Identifiers

CVE-2019-12422  

Apache Shiro before 1.4.2, when using the default "remember me" configuration, cookies could be susceptible to a padding attack.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions:

CVE-2020-11989  

Apache Shiro before 1.5.3, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass.
CWE-287 Improper Authentication

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions:

CVE-2020-13933  

Apache Shiro before 1.6.0, when using Apache Shiro, a specially crafted HTTP request may cause an authentication bypass.
CWE-287 Improper Authentication

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions:

CVE-2020-17510  

Apache Shiro before 1.7.0, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass.
CWE-306 Missing Authentication for Critical Function

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions:

CVE-2020-17523  

Apache Shiro before 1.7.1, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass.
CWE-863 Incorrect Authorization

CVSSv2:
  • Base Score: HIGH (9.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:C
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions:

CVE-2020-1957  

Apache Shiro before 1.5.2, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass.
CWE-287 Improper Authentication

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions:

shiro-crypto-cipher-1.4.0.jar

Description:

Apache Shiro is a powerful and flexible open-source security framework that cleanly handles        authentication, authorization, enterprise session management, single sign-on and cryptography services.

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.shiro/shiro-crypto-cipher/1.4.0/78020924ddce7632daa3b9acb698167c240df623/shiro-crypto-cipher-1.4.0.jar
MD5: 869c982ffffd7e8dc228500dd4ece97d
SHA1: 78020924ddce7632daa3b9acb698167c240df623
SHA256:67f8bc6f9dfa11a9c4959284f2f591dbd238ca20e1fbd1964d0c2daa69cf9ec0
Referenced In Projects/Scopes:
  • calcite:sqllineClasspath
  • geode:default
  • geode:compileClasspath
  • geode:runtimeClasspath

Identifiers

CVE-2019-12422  

Apache Shiro before 1.4.2, when using the default "remember me" configuration, cookies could be susceptible to a padding attack.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions:

CVE-2020-11989  

Apache Shiro before 1.5.3, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass.
CWE-287 Improper Authentication

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions:

CVE-2020-13933  

Apache Shiro before 1.6.0, when using Apache Shiro, a specially crafted HTTP request may cause an authentication bypass.
CWE-287 Improper Authentication

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions:

CVE-2020-17510  

Apache Shiro before 1.7.0, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass.
CWE-306 Missing Authentication for Critical Function

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions:

CVE-2020-17523  

Apache Shiro before 1.7.1, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass.
CWE-863 Incorrect Authorization

CVSSv2:
  • Base Score: HIGH (9.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:C
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions:

CVE-2020-1957  

Apache Shiro before 1.5.2, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass.
CWE-287 Improper Authentication

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions:

shiro-crypto-core-1.4.0.jar

Description:

Apache Shiro is a powerful and flexible open-source security framework that cleanly handles        authentication, authorization, enterprise session management, single sign-on and cryptography services.

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.shiro/shiro-crypto-core/1.4.0/7049325bba697985eee924eda03cb7971af1b808/shiro-crypto-core-1.4.0.jar
MD5: 53fc38f4845087acf364bcf9a507fdd7
SHA1: 7049325bba697985eee924eda03cb7971af1b808
SHA256:1cba00a55eb65858ba0fd76e515d2177e6b834f37277a76afecd1cad0957d36c
Referenced In Projects/Scopes:
  • calcite:sqllineClasspath
  • geode:default
  • geode:compileClasspath
  • geode:runtimeClasspath

Identifiers

CVE-2019-12422  

Apache Shiro before 1.4.2, when using the default "remember me" configuration, cookies could be susceptible to a padding attack.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions:

CVE-2020-11989  

Apache Shiro before 1.5.3, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass.
CWE-287 Improper Authentication

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions:

CVE-2020-13933  

Apache Shiro before 1.6.0, when using Apache Shiro, a specially crafted HTTP request may cause an authentication bypass.
CWE-287 Improper Authentication

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions:

CVE-2020-17510  

Apache Shiro before 1.7.0, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass.
CWE-306 Missing Authentication for Critical Function

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions:

CVE-2020-17523  

Apache Shiro before 1.7.1, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass.
CWE-863 Incorrect Authorization

CVSSv2:
  • Base Score: HIGH (9.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:C
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions:

CVE-2020-1957  

Apache Shiro before 1.5.2, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass.
CWE-287 Improper Authentication

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions:

shiro-crypto-hash-1.4.0.jar

Description:

Apache Shiro is a powerful and flexible open-source security framework that cleanly handles        authentication, authorization, enterprise session management, single sign-on and cryptography services.

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.shiro/shiro-crypto-hash/1.4.0/b767d3db10f01dfba79c04cbc9e17eae0247b9c/shiro-crypto-hash-1.4.0.jar
MD5: 66dafe1350b86759d887ab181f181759
SHA1: 0b767d3db10f01dfba79c04cbc9e17eae0247b9c
SHA256:3a40fb67aa4c118cb3e47ca339a3094707778f0ea0c9fedca2147c9bfdb8647f
Referenced In Projects/Scopes:
  • calcite:sqllineClasspath
  • geode:default
  • geode:compileClasspath
  • geode:runtimeClasspath

Identifiers

CVE-2019-12422  

Apache Shiro before 1.4.2, when using the default "remember me" configuration, cookies could be susceptible to a padding attack.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions:

CVE-2020-11989  

Apache Shiro before 1.5.3, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass.
CWE-287 Improper Authentication

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions:

CVE-2020-13933  

Apache Shiro before 1.6.0, when using Apache Shiro, a specially crafted HTTP request may cause an authentication bypass.
CWE-287 Improper Authentication

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions:

CVE-2020-17510  

Apache Shiro before 1.7.0, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass.
CWE-306 Missing Authentication for Critical Function

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions:

CVE-2020-17523  

Apache Shiro before 1.7.1, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass.
CWE-863 Incorrect Authorization

CVSSv2:
  • Base Score: HIGH (9.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:C
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions:

CVE-2020-1957  

Apache Shiro before 1.5.2, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass.
CWE-287 Improper Authentication

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions:

shiro-event-1.4.0.jar

Description:

Apache Shiro is a powerful and flexible open-source security framework that cleanly handles        authentication, authorization, enterprise session management, single sign-on and cryptography services.

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.shiro/shiro-event/1.4.0/df4e83b5200940439e0c7ba4fc145902900e2cd/shiro-event-1.4.0.jar
MD5: 2c7267be4f08a425b52287fa01687a2a
SHA1: 0df4e83b5200940439e0c7ba4fc145902900e2cd
SHA256:eed623e101d2bc5b29be2c93679504d411eedb2261b95a478cd5140d82734e7c
Referenced In Projects/Scopes:
  • calcite:sqllineClasspath
  • geode:default
  • geode:compileClasspath
  • geode:runtimeClasspath

Identifiers

CVE-2019-12422  

Apache Shiro before 1.4.2, when using the default "remember me" configuration, cookies could be susceptible to a padding attack.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions:

CVE-2020-11989  

Apache Shiro before 1.5.3, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass.
CWE-287 Improper Authentication

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions:

CVE-2020-13933  

Apache Shiro before 1.6.0, when using Apache Shiro, a specially crafted HTTP request may cause an authentication bypass.
CWE-287 Improper Authentication

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions:

CVE-2020-17510  

Apache Shiro before 1.7.0, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass.
CWE-306 Missing Authentication for Critical Function

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions:

CVE-2020-17523  

Apache Shiro before 1.7.1, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass.
CWE-863 Incorrect Authorization

CVSSv2:
  • Base Score: HIGH (9.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:C
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions:

CVE-2020-1957  

Apache Shiro before 1.5.2, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass.
CWE-287 Improper Authentication

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions:

shiro-lang-1.4.0.jar

Description:

        The lang module encapsulates only language-specific utilities that are used by various
        other modules.  It exists to augment what we would have liked to see in the JDK but does not exist.
    

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.shiro/shiro-lang/1.4.0/6895b5d14e7be7a77297336b037d7a7e79e858d6/shiro-lang-1.4.0.jar
MD5: c654a538ef466eb33aeb7ff59e027a01
SHA1: 6895b5d14e7be7a77297336b037d7a7e79e858d6
SHA256:8d78850ff764f72803568bbe0789eee513e2dcee990f465adbfdf0916a10ea9d
Referenced In Projects/Scopes:
  • calcite:sqllineClasspath
  • geode:default
  • geode:compileClasspath
  • geode:runtimeClasspath

Identifiers

CVE-2019-12422  

Apache Shiro before 1.4.2, when using the default "remember me" configuration, cookies could be susceptible to a padding attack.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions:

CVE-2020-11989  

Apache Shiro before 1.5.3, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass.
CWE-287 Improper Authentication

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions:

CVE-2020-13933  

Apache Shiro before 1.6.0, when using Apache Shiro, a specially crafted HTTP request may cause an authentication bypass.
CWE-287 Improper Authentication

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions:

CVE-2020-17510  

Apache Shiro before 1.7.0, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass.
CWE-306 Missing Authentication for Critical Function

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions:

CVE-2020-17523  

Apache Shiro before 1.7.1, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass.
CWE-863 Incorrect Authorization

CVSSv2:
  • Base Score: HIGH (9.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:C
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions:

CVE-2020-1957  

Apache Shiro before 1.5.2, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass.
CWE-287 Improper Authentication

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions:

sketches-core-0.9.0.jar

Description:

Sketches-core contains the core algorithms used by other repositories in the DataSketches library.

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/com.yahoo.datasketches/sketches-core/0.9.0/ba592b4cca8eb7dd425721acc1b5d4c034e34fa0/sketches-core-0.9.0.jar
MD5: ae2f36640cd69ef20c83712c96cf017d
SHA1: ba592b4cca8eb7dd425721acc1b5d4c034e34fa0
SHA256:672a7973eae372d9f6ad9dab5904292ab38a1be2b7445521a0d820a59f2ae13c
Referenced In Projects/Scopes:

  • babel:default
  • piglet:runtimeClasspath
  • spark:default
  • splunk:default
  • function:runtimeClasspath
  • kafka:default
  • redis:runtimeClasspath
  • server:runtimeClasspath
  • cassandra:runtimeClasspath
  • druid:default
  • spark:runtimeClasspath
  • core:default
  • babel:runtimeClasspath
  • elasticsearch:runtimeClasspath
  • innodb:default
  • piglet:default
  • pig:default
  • plus:runtimeClasspath
  • function:default
  • csv:default
  • core:implementationDependenciesMetadata
  • kafka:runtimeClasspath
  • splunk:runtimeClasspath
  • core:compileClasspath
  • file:runtimeClasspath
  • innodb:runtimeClasspath
  • calcite:sqllineClasspath
  • core:runtimeClasspath
  • geode:default
  • elasticsearch:default
  • druid:runtimeClasspath
  • mongodb:runtimeClasspath
  • file:default
  • server:default
  • pig:runtimeClasspath
  • mongodb:default
  • redis:default
  • geode:runtimeClasspath
  • csv:runtimeClasspath
  • plus:default
  • cassandra:default

Identifiers

slf4j-api-1.7.25.jar

Description:

The slf4j API

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.slf4j/slf4j-api/1.7.25/da76ca59f6a57ee3102f8f9bd9cee742973efa8a/slf4j-api-1.7.25.jar
MD5: caafe376afb7086dcbee79f780394ca3
SHA1: da76ca59f6a57ee3102f8f9bd9cee742973efa8a
SHA256:18c4a0095d5c1da6b817592e767bb23d29dd2f560ad74df75ff3961dbde25b79
Referenced In Projects/Scopes:

  • cassandra:compileClasspath
  • piglet:compileClasspath
  • piglet:runtimeClasspath
  • spark:default
  • splunk:default
  • kafka:default
  • spark:compileClasspath
  • server:runtimeClasspath
  • cassandra:runtimeClasspath
  • druid:default
  • spark:runtimeClasspath
  • linq4j:runtimeClasspath
  • linq4j:default
  • druid:compileClasspath
  • plus:compileClasspath
  • pig:default
  • plus:runtimeClasspath
  • splunk:compileClasspath
  • function:default
  • file:compileClasspath
  • core:implementationDependenciesMetadata
  • kafka:runtimeClasspath
  • splunk:runtimeClasspath
  • file:runtimeClasspath
  • elasticsearch:default
  • kafka:compileClasspath
  • druid:runtimeClasspath
  • mongodb:default
  • cassandra:default
  • babel:default
  • function:runtimeClasspath
  • core:default
  • function:compileClasspath
  • elasticsearch:compileClasspath
  • babel:runtimeClasspath
  • elasticsearch:runtimeClasspath
  • piglet:default
  • babel:compileClasspath
  • csv:default
  • core:compileClasspath
  • core:runtimeClasspath
  • geode:default
  • geode:compileClasspath
  • mongodb:runtimeClasspath
  • file:default
  • server:default
  • ubenchmark:jmhCompileClasspath
  • pig:runtimeClasspath
  • mongodb:compileClasspath
  • server:compileClasspath
  • geode:runtimeClasspath
  • csv:compileClasspath
  • csv:runtimeClasspath
  • plus:default
  • pig:compileClasspath

Identifiers

slf4j-api-1.7.28.jar

Description:

The slf4j API

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.slf4j/slf4j-api/1.7.28/2cd9b264f76e3d087ee21bfc99305928e1bdb443/slf4j-api-1.7.28.jar
MD5: 1468c816e659d8013027d912863dc865
SHA1: 2cd9b264f76e3d087ee21bfc99305928e1bdb443
SHA256:fb6e4f67a2a4689e3e713584db17a5d1090c1ebe6eec30e9e0349a6ee118141e
Referenced In Projects/Scopes:

  • innodb:compileClasspath
  • innodb:runtimeClasspath
  • innodb:default

Identifiers

slf4j-api-1.7.30.jar

Description:

The slf4j API

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.slf4j/slf4j-api/1.7.30/b5a4b6d16ab13e34a88fae84c35cd5d68cac922c/slf4j-api-1.7.30.jar
MD5: f8be00da99bc4ab64c79ab1e2be7cb7c
SHA1: b5a4b6d16ab13e34a88fae84c35cd5d68cac922c
SHA256:cdba07964d1bb40a0761485c6b1e8c2f8fd9eb1d19c53928ac0d7f9510105c57
Referenced In Projects/Scopes:

  • calcite:sqllineClasspath
  • redis:compileClasspath
  • redis:default
  • redis:runtimeClasspath

Identifiers

slf4j-log4j12-1.7.25.jar

Description:

SLF4J LOG4J-12 Binding

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.slf4j/slf4j-log4j12/1.7.25/110cefe2df103412849d72ef7a67e4e91e4266b4/slf4j-log4j12-1.7.25.jar
MD5: 7f16ba3b1ab6a781c3f6887eae7b608d
SHA1: 110cefe2df103412849d72ef7a67e4e91e4266b4
SHA256:ddb343954deb6f046f862606c534178730c02ed23d0b7f6ca1012c1e3fa74273
Referenced In Projects/Scopes:

  • piglet:compileClasspath
  • piglet:runtimeClasspath
  • spark:default
  • spark:compileClasspath
  • piglet:default
  • spark:runtimeClasspath

Identifiers

slf4j-log4j12-1.7.28.jar

Description:

SLF4J LOG4J-12 Binding

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.slf4j/slf4j-log4j12/1.7.28/9c45c87557628d1c06d770e1382932dc781e3d5d/slf4j-log4j12-1.7.28.jar
MD5: 4abb5232943c4fd9d098fdfb278c4591
SHA1: 9c45c87557628d1c06d770e1382932dc781e3d5d
SHA256:ad926e9a170d96519eab7553c94462d7849d55c4886c9b5d386782090e321fd6
Referenced In Projects/Scopes:

  • innodb:compileClasspath
  • innodb:runtimeClasspath
  • calcite:sqllineClasspath
  • innodb:default

Identifiers

snakeyaml-1.24.jar

Description:

YAML 1.1 parser and emitter for Java

License:

Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.24/13a9c0d6776483c3876e3ff9384f9bb55b17001b/snakeyaml-1.24.jar
MD5: 694248028b74151981bbb97c1e565843
SHA1: 13a9c0d6776483c3876e3ff9384f9bb55b17001b
SHA256:d3f7f09989d5b0ce5c4791818ef937ee7663f1e359c2ef2d312f938aad0763da
Referenced In Projects/Scopes:
  • babel:default
  • piglet:runtimeClasspath
  • spark:default
  • splunk:default
  • function:runtimeClasspath
  • kafka:default
  • redis:runtimeClasspath
  • server:runtimeClasspath
  • cassandra:runtimeClasspath
  • druid:default
  • spark:runtimeClasspath
  • core:default
  • babel:runtimeClasspath
  • elasticsearch:runtimeClasspath
  • innodb:default
  • piglet:default
  • pig:default
  • plus:runtimeClasspath
  • function:default
  • csv:default
  • core:implementationDependenciesMetadata
  • kafka:runtimeClasspath
  • splunk:runtimeClasspath
  • core:compileClasspath
  • file:runtimeClasspath
  • innodb:runtimeClasspath
  • calcite:sqllineClasspath
  • core:runtimeClasspath
  • geode:default
  • elasticsearch:default
  • druid:runtimeClasspath
  • mongodb:runtimeClasspath
  • file:default
  • server:default
  • pig:runtimeClasspath
  • mongodb:default
  • redis:default
  • geode:runtimeClasspath
  • csv:runtimeClasspath
  • plus:default
  • cassandra:default

Identifiers

CVE-2017-18640  

The Alias feature in SnakeYAML 1.18 allows entity expansion during a load operation, a related issue to CVE-2003-1564.
CWE-776 Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

snappy-java-1.0.4.1.jar

Description:

snappy-java: A fast compression/decompression library

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.xerial.snappy/snappy-java/1.0.4.1/f88b89a5a21a466aeb0ecf0c063605bd584b4947/snappy-java-1.0.4.1.jar
MD5: 3fad0dcafbced1e3475e3ad7bdd3236b
SHA1: f88b89a5a21a466aeb0ecf0c063605bd584b4947
SHA256:52533e94f79beacb9862bac33fa2e2fc724a8cfb2a739c33ae4ea10515f2bb86
Referenced In Projects/Scopes:
  • piglet:compileClasspath
  • piglet:runtimeClasspath
  • pig:runtimeClasspath
  • piglet:default
  • pig:default
  • pig:compileClasspath

Identifiers

snappy-java-1.0.4.1.jar: snappyjava.dll

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.xerial.snappy/snappy-java/1.0.4.1/f88b89a5a21a466aeb0ecf0c063605bd584b4947/snappy-java-1.0.4.1.jar/org/xerial/snappy/native/Windows/x86/snappyjava.dll
MD5: 02d0731854ac1be878dc4d6e2555aa2d
SHA1: baf474b2ad0b6873e2d99764ea61dcb42f850e24
SHA256:e063f8c7329c9e95f61fac2d2c91330440cd45ff832582a46080c082fa8a0c56
Referenced In Projects/Scopes:

  • piglet:compileClasspath
  • piglet:runtimeClasspath
  • pig:runtimeClasspath
  • piglet:default
  • pig:default
  • pig:compileClasspath

Identifiers

  • None

snappy-java-1.0.4.1.jar: snappyjava.dll

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.xerial.snappy/snappy-java/1.0.4.1/f88b89a5a21a466aeb0ecf0c063605bd584b4947/snappy-java-1.0.4.1.jar/org/xerial/snappy/native/Windows/amd64/snappyjava.dll
MD5: 09989290a9d23aa887ad3919c8daf6bd
SHA1: 1ca8cb25c14aa3574e1c2d362e11b97b889dc466
SHA256:f0bcc10fb910803d2ce1dfc36fe792066a27570ecacdeedf9d98e7b758f37b44
Referenced In Projects/Scopes:

  • piglet:compileClasspath
  • piglet:runtimeClasspath
  • pig:runtimeClasspath
  • piglet:default
  • pig:default
  • pig:compileClasspath

Identifiers

  • None

snappy-java-1.1.2.6.jar

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.xerial.snappy/snappy-java/1.1.2.6/48d92871ca286a47f230feb375f0bbffa83b85f6/snappy-java-1.1.2.6.jar
MD5: 238af9ae1f62970d9176fa0c4f6387fe
SHA1: 48d92871ca286a47f230feb375f0bbffa83b85f6
SHA256:61f7bc4076be0320ab4ef076fb6d83e3f649c3caf9ffb6031654a73f9c23732f
Referenced In Projects/Scopes:
  • spark:default
  • spark:compileClasspath
  • spark:runtimeClasspath

Identifiers

snappy-java-1.1.2.6.jar: snappyjava.dll

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.xerial.snappy/snappy-java/1.1.2.6/48d92871ca286a47f230feb375f0bbffa83b85f6/snappy-java-1.1.2.6.jar/org/xerial/snappy/native/Windows/x86/snappyjava.dll
MD5: c35f7d232d05fd0b8440153cb4224a5a
SHA1: 45b5f3fdd2bac156b8d100ce2c29ac7126454fef
SHA256:15fb95c2168bb78cf94f61bbff7fc0bb5611db9d8509dd1322a40d735c3109bc
Referenced In Projects/Scopes:

  • spark:default
  • spark:compileClasspath
  • spark:runtimeClasspath

Identifiers

  • None

snappy-java-1.1.2.6.jar: snappyjava.dll

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.xerial.snappy/snappy-java/1.1.2.6/48d92871ca286a47f230feb375f0bbffa83b85f6/snappy-java-1.1.2.6.jar/org/xerial/snappy/native/Windows/x86_64/snappyjava.dll
MD5: eae816277d795d3397f08ad43d236576
SHA1: 283068f6b5cd8bb3449867558624fe19c432d909
SHA256:dfcc13605edabf70e7bec87f68bc2a1c7d06bebecd72a0d4e122eee2e695948e
Referenced In Projects/Scopes:

  • spark:default
  • spark:compileClasspath
  • spark:runtimeClasspath

Identifiers

  • None

snappy-java-1.1.7.2.jar

Description:

snappy-java: A fast compression/decompression library

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.xerial.snappy/snappy-java/1.1.7.2/307b286efd119ad2c6d4291128bf110bddc68088/snappy-java-1.1.7.2.jar
MD5: 43f28328017f172f727e34e08e2d5980
SHA1: 307b286efd119ad2c6d4291128bf110bddc68088
SHA256:30c332dfd4deb20332d736d5c673614ca7654598661ec5dd0793edc2f3da3261
Referenced In Projects/Scopes:
  • kafka:runtimeClasspath
  • calcite:sqllineClasspath
  • kafka:compileClasspath
  • kafka:default

Identifiers

snappy-java-1.1.7.2.jar: snappyjava.dll

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.xerial.snappy/snappy-java/1.1.7.2/307b286efd119ad2c6d4291128bf110bddc68088/snappy-java-1.1.7.2.jar/org/xerial/snappy/native/Windows/x86/snappyjava.dll
MD5: 3311b452e8619f09b279575c5ebac4c7
SHA1: b2ab0f778657b4ff3521d7c93e3e5b3b31b96ff9
SHA256:0be631df962e3dc0c5086869e77d00dde089dbde44ebb7a3e7a75b9f61fa2931
Referenced In Projects/Scopes:

  • kafka:runtimeClasspath
  • calcite:sqllineClasspath
  • kafka:compileClasspath
  • kafka:default

Identifiers

  • None

snappy-java-1.1.7.2.jar: snappyjava.dll

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.xerial.snappy/snappy-java/1.1.7.2/307b286efd119ad2c6d4291128bf110bddc68088/snappy-java-1.1.7.2.jar/org/xerial/snappy/native/Windows/x86_64/snappyjava.dll
MD5: 82578a05ced2f0dc97c2e6b7d350e4c4
SHA1: 79d91441d17e3c81a8bf107ebc9843c642d9e278
SHA256:cfc8d0ea172f838b3a7502e378baed72a3ac45020fb9772667e5dffee46d588b
Referenced In Projects/Scopes:

  • kafka:runtimeClasspath
  • calcite:sqllineClasspath
  • kafka:compileClasspath
  • kafka:default

Identifiers

  • None

spark-core_2.10-2.2.2.jar

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.spark/spark-core_2.10/2.2.2/2029009854ecb422d1ba6dc8135ba9b2be2ad1/spark-core_2.10-2.2.2.jar
MD5: 4a7456371c6b9289cbf8d853a13a3944
SHA1: 002029009854ecb422d1ba6dc8135ba9b2be2ad1
SHA256:10f4077c72c37961ab0c4626a5d88f323eb2fc5e25741394d52d0388720dc138
Referenced In Projects/Scopes:

  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • spark:runtimeClasspath

Identifiers

CVE-2018-11760  

When using PySpark , it's possible for a different local user to connect to the Spark application and impersonate the user running the Spark application. This affects versions 1.x, 2.0.x, 2.1.x, 2.2.0 to 2.2.2, and 2.3.0 to 2.3.1.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: LOW (2.1)
  • Vector: /AV:L/AC:L/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (5.5)
  • Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2018-11770  

From version 1.3.0 onward, Apache Spark's standalone master exposes a REST API for job submission, in addition to the submission mechanism used by spark-submit. In standalone, the config property 'spark.authenticate.secret' establishes a shared secret for authenticating requests to submit jobs via spark-submit. However, the REST API does not use this or any other authentication mechanism, and this is not adequately documented. In this case, a user would be able to run a driver program without authenticating, but not launch executors, using the REST API. This REST API is also used by Mesos, when set up to run in cluster mode (i.e., when also running MesosClusterDispatcher), for job submission. Future versions of Spark will improve documentation on these points, and prohibit setting 'spark.authenticate.secret' when running the REST APIs, to make this clear. Future versions will also disable the REST API by default in the standalone master by changing the default value of 'spark.master.rest.enabled' to 'false'.
CWE-287 Improper Authentication

CVSSv2:
  • Base Score: MEDIUM (4.9)
  • Vector: /AV:N/AC:M/Au:S/C:P/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (4.2)
  • Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N

References:

Vulnerable Software & Versions:

CVE-2018-11804  

Spark's Apache Maven-based build includes a convenience script, 'build/mvn', that downloads and runs a zinc server to speed up compilation. It has been included in release branches since 1.3.x, up to and including master. This server will accept connections from external hosts by default. A specially-crafted request to the zinc server could cause it to reveal information in files readable to the developer account running the build. Note that this issue does not affect end users of Spark, only developers building Spark from source code.
CWE-20 Improper Input Validation

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions:

CVE-2018-17190  

In all versions of Apache Spark, its standalone resource manager accepts code to execute on a 'master' host, that then runs that code on 'worker' hosts. The master itself does not, by design, execute user code. A specially-crafted request to the master can, however, cause the master to execute code too. Note that this does not affect standalone clusters with authentication enabled. While the master host typically has less outbound access to other resources than a worker, the execution of code on the master is nevertheless unexpected.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions:

CVE-2019-10099  

Prior to Spark 2.3.3, in certain situations Spark would write user data to local disk unencrypted, even if spark.io.encryption.enabled=true. This includes cached blocks that are fetched to disk (controlled by spark.maxRemoteBlockSizeFetchToMem); in SparkR, using parallelize; in Pyspark, using broadcast and parallelize; and use of python udfs.
CWE-310 Cryptographic Issues

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2020-9480  

In Apache Spark 2.4.5 and earlier, a standalone resource manager's master may be configured to require authentication (spark.authenticate) via a shared secret. When enabled, however, a specially-crafted RPC to the master can succeed in starting an application's resources on the Spark cluster, even without the shared key. This can be leveraged to execute shell commands on the host machine. This does not affect Spark clusters using other resource managers (YARN, Mesos, etc).
CWE-287 Improper Authentication

CVSSv2:
  • Base Score: HIGH (9.3)
  • Vector: /AV:N/AC:M/Au:N/C:C/I:C/A:C
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions:

spark-core_2.10-2.2.2.jar (shaded: org.eclipse.jetty:jetty-client:9.3.11.v20160721)

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.spark/spark-core_2.10/2.2.2/2029009854ecb422d1ba6dc8135ba9b2be2ad1/spark-core_2.10-2.2.2.jar/META-INF/maven/org.eclipse.jetty/jetty-client/pom.xml
MD5: d46838228680db23b38ea6dac066efc2
SHA1: 34543f2f47bac1d9019f2e58fcfc16bec334c689
SHA256:cf3b1c2e7c60f47f8538c14e3fd7f1945a5ca4edce96388f3305cf3859bf3f75
Referenced In Projects/Scopes:

  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • spark:runtimeClasspath

Identifiers

CVE-2017-7656  

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2017-7657  

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling'), CWE-190 Integer Overflow or Wraparound

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2017-7658  

In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2018-12536  

In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually handled by the DefaultServlet's static file serving, the bad characters can trigger a java.nio.file.InvalidPathException which includes the full path to the base resource directory that the DefaultServlet and/or webapp is using. If this InvalidPathException is then handled by the default Error Handler, the InvalidPathException message is included in the error response, revealing the full server path to the requesting system.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2018-12545  

In Eclipse Jetty version 9.3.x and 9.4.x, the server is vulnerable to Denial of Service conditions if a remote client sends either large SETTINGs frames container containing many settings, or many small SETTINGs frames. The vulnerability is due to the additional CPU and memory allocations required to handle changed settings.
CWE-770 Allocation of Resources Without Limits or Throttling

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2019-10241  

In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory contents.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2019-10247  

In Eclipse Jetty version 7.x, 8.x, 9.2.27 and older, 9.3.26 and older, and 9.4.16 and older, the server running on any OS and Jetty version combination will reveal the configured fully qualified directory base resource location on the output of the 404 error for not finding a Context that matches the requested path. The default server behavior on jetty-distribution and jetty-home will include at the end of the Handler tree a DefaultHandler, which is responsible for reporting this 404 error, it presents the various configured contexts as HTML for users to click through to. This produced HTML includes output that contains the configured fully qualified directory base resource location for each context.
CWE-200 Information Exposure

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2020-27216  

In Eclipse Jetty versions 1.0 thru 9.4.32.v20200930, 10.0.0.alpha1 thru 10.0.0.beta2, and 11.0.0.alpha1 thru 11.0.0.beta2O, on Unix like systems, the system's temporary directory is shared between all users on that system. A collocated user can observe the process of creating a temporary sub directory in the shared temporary directory and race to complete the creation of the temporary subdirectory. If the attacker wins the race then they will have read and write permission to the subdirectory used to unpack web applications, including their WEB-INF/lib jar files and JSP files. If any code is ever executed out of this temporary directory, this can lead to a local privilege escalation vulnerability.
NVD-CWE-Other

CVSSv2:
  • Base Score: MEDIUM (4.4)
  • Vector: /AV:L/AC:M/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (7.0)
  • Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2021-28165  

In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame.
CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

CVSSv2:
  • Base Score: HIGH (7.8)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:C
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

spark-core_2.10-2.2.2.jar (shaded: org.eclipse.jetty:jetty-continuation:9.3.11.v20160721)

Description:

Asynchronous API

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.spark/spark-core_2.10/2.2.2/2029009854ecb422d1ba6dc8135ba9b2be2ad1/spark-core_2.10-2.2.2.jar/META-INF/maven/org.eclipse.jetty/jetty-continuation/pom.xml
MD5: 9ee71668e9a5ebe980758e881a14030d
SHA1: c8446f5293a28d819b7295e2cdec61a7174698b5
SHA256:1e0271b1b03ee91e26fc3f2d09959a023b7e57c125a21df7aad0d53703cbfe63
Referenced In Projects/Scopes:

  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • spark:runtimeClasspath

Identifiers

CVE-2017-7656  

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2017-7657  

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling'), CWE-190 Integer Overflow or Wraparound

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2017-7658  

In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2018-12536  

In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually handled by the DefaultServlet's static file serving, the bad characters can trigger a java.nio.file.InvalidPathException which includes the full path to the base resource directory that the DefaultServlet and/or webapp is using. If this InvalidPathException is then handled by the default Error Handler, the InvalidPathException message is included in the error response, revealing the full server path to the requesting system.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2018-12545  

In Eclipse Jetty version 9.3.x and 9.4.x, the server is vulnerable to Denial of Service conditions if a remote client sends either large SETTINGs frames container containing many settings, or many small SETTINGs frames. The vulnerability is due to the additional CPU and memory allocations required to handle changed settings.
CWE-770 Allocation of Resources Without Limits or Throttling

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2019-10241  

In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory contents.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2019-10247  

In Eclipse Jetty version 7.x, 8.x, 9.2.27 and older, 9.3.26 and older, and 9.4.16 and older, the server running on any OS and Jetty version combination will reveal the configured fully qualified directory base resource location on the output of the 404 error for not finding a Context that matches the requested path. The default server behavior on jetty-distribution and jetty-home will include at the end of the Handler tree a DefaultHandler, which is responsible for reporting this 404 error, it presents the various configured contexts as HTML for users to click through to. This produced HTML includes output that contains the configured fully qualified directory base resource location for each context.
CWE-200 Information Exposure

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2020-27216  

In Eclipse Jetty versions 1.0 thru 9.4.32.v20200930, 10.0.0.alpha1 thru 10.0.0.beta2, and 11.0.0.alpha1 thru 11.0.0.beta2O, on Unix like systems, the system's temporary directory is shared between all users on that system. A collocated user can observe the process of creating a temporary sub directory in the shared temporary directory and race to complete the creation of the temporary subdirectory. If the attacker wins the race then they will have read and write permission to the subdirectory used to unpack web applications, including their WEB-INF/lib jar files and JSP files. If any code is ever executed out of this temporary directory, this can lead to a local privilege escalation vulnerability.
NVD-CWE-Other

CVSSv2:
  • Base Score: MEDIUM (4.4)
  • Vector: /AV:L/AC:M/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (7.0)
  • Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2021-28165  

In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame.
CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

CVSSv2:
  • Base Score: HIGH (7.8)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:C
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

spark-core_2.10-2.2.2.jar (shaded: org.eclipse.jetty:jetty-http:9.3.11.v20160721)

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.spark/spark-core_2.10/2.2.2/2029009854ecb422d1ba6dc8135ba9b2be2ad1/spark-core_2.10-2.2.2.jar/META-INF/maven/org.eclipse.jetty/jetty-http/pom.xml
MD5: 509c2a0bad16b09c2d818fac7e2bf3e0
SHA1: 6fb3a335f41a316c0e65330225d48175499586b6
SHA256:c778faeacd8d36f9e77390243c84235e073b6c3e1d080076d631c6310dc1b348
Referenced In Projects/Scopes:

  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • spark:runtimeClasspath

Identifiers

CVE-2017-7656  

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2017-7657  

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling'), CWE-190 Integer Overflow or Wraparound

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2017-7658  

In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2017-9735 (OSSINDEX)  

Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.eclipse.jetty:jetty-http:9.3.11.v20160721:*:*:*:*:*:*:*

CVE-2018-12536  

In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually handled by the DefaultServlet's static file serving, the bad characters can trigger a java.nio.file.InvalidPathException which includes the full path to the base resource directory that the DefaultServlet and/or webapp is using. If this InvalidPathException is then handled by the default Error Handler, the InvalidPathException message is included in the error response, revealing the full server path to the requesting system.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2018-12545  

In Eclipse Jetty version 9.3.x and 9.4.x, the server is vulnerable to Denial of Service conditions if a remote client sends either large SETTINGs frames container containing many settings, or many small SETTINGs frames. The vulnerability is due to the additional CPU and memory allocations required to handle changed settings.
CWE-770 Allocation of Resources Without Limits or Throttling

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2019-10241  

In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory contents.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2019-10247  

In Eclipse Jetty version 7.x, 8.x, 9.2.27 and older, 9.3.26 and older, and 9.4.16 and older, the server running on any OS and Jetty version combination will reveal the configured fully qualified directory base resource location on the output of the 404 error for not finding a Context that matches the requested path. The default server behavior on jetty-distribution and jetty-home will include at the end of the Handler tree a DefaultHandler, which is responsible for reporting this 404 error, it presents the various configured contexts as HTML for users to click through to. This produced HTML includes output that contains the configured fully qualified directory base resource location for each context.
CWE-200 Information Exposure

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2020-27216  

In Eclipse Jetty versions 1.0 thru 9.4.32.v20200930, 10.0.0.alpha1 thru 10.0.0.beta2, and 11.0.0.alpha1 thru 11.0.0.beta2O, on Unix like systems, the system's temporary directory is shared between all users on that system. A collocated user can observe the process of creating a temporary sub directory in the shared temporary directory and race to complete the creation of the temporary subdirectory. If the attacker wins the race then they will have read and write permission to the subdirectory used to unpack web applications, including their WEB-INF/lib jar files and JSP files. If any code is ever executed out of this temporary directory, this can lead to a local privilege escalation vulnerability.
NVD-CWE-Other

CVSSv2:
  • Base Score: MEDIUM (4.4)
  • Vector: /AV:L/AC:M/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (7.0)
  • Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2021-28165  

In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame.
CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

CVSSv2:
  • Base Score: HIGH (7.8)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:C
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

spark-core_2.10-2.2.2.jar (shaded: org.eclipse.jetty:jetty-io:9.3.11.v20160721)

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.spark/spark-core_2.10/2.2.2/2029009854ecb422d1ba6dc8135ba9b2be2ad1/spark-core_2.10-2.2.2.jar/META-INF/maven/org.eclipse.jetty/jetty-io/pom.xml
MD5: 7292c2abb073718c950e0a0e00a28e4d
SHA1: a69b6b410056c1f527a0b2cefc7baed2cef4c635
SHA256:5d921425af6f925c5b6ffaed1c778b541b710f035c1dd4233402fc3152870b42
Referenced In Projects/Scopes:

  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • spark:runtimeClasspath

Identifiers

CVE-2021-28165 (OSSINDEX)  

In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame.
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.eclipse.jetty:jetty-io:9.3.11.v20160721:*:*:*:*:*:*:*

spark-core_2.10-2.2.2.jar (shaded: org.eclipse.jetty:jetty-plus:9.3.11.v20160721)

Description:

Jetty JavaEE style services

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.spark/spark-core_2.10/2.2.2/2029009854ecb422d1ba6dc8135ba9b2be2ad1/spark-core_2.10-2.2.2.jar/META-INF/maven/org.eclipse.jetty/jetty-plus/pom.xml
MD5: 6c9e58f0800385b0eb50a75df9a4ebf1
SHA1: d3b4d7009ca65eb972c3b644a6633d0042a343cd
SHA256:42362d2eea75c008f58b90c1fda349733977031d56ebb36a75977a045d01300e
Referenced In Projects/Scopes:

  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • spark:runtimeClasspath

Identifiers

CVE-2017-7656  

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2017-7657  

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling'), CWE-190 Integer Overflow or Wraparound

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2017-7658  

In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2017-9735 (OSSINDEX)  

Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.eclipse.jetty:jetty-plus:9.3.11.v20160721:*:*:*:*:*:*:*

CVE-2018-12536  

In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually handled by the DefaultServlet's static file serving, the bad characters can trigger a java.nio.file.InvalidPathException which includes the full path to the base resource directory that the DefaultServlet and/or webapp is using. If this InvalidPathException is then handled by the default Error Handler, the InvalidPathException message is included in the error response, revealing the full server path to the requesting system.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2018-12545  

In Eclipse Jetty version 9.3.x and 9.4.x, the server is vulnerable to Denial of Service conditions if a remote client sends either large SETTINGs frames container containing many settings, or many small SETTINGs frames. The vulnerability is due to the additional CPU and memory allocations required to handle changed settings.
CWE-770 Allocation of Resources Without Limits or Throttling

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2019-10241  

In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory contents.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2019-10247  

In Eclipse Jetty version 7.x, 8.x, 9.2.27 and older, 9.3.26 and older, and 9.4.16 and older, the server running on any OS and Jetty version combination will reveal the configured fully qualified directory base resource location on the output of the 404 error for not finding a Context that matches the requested path. The default server behavior on jetty-distribution and jetty-home will include at the end of the Handler tree a DefaultHandler, which is responsible for reporting this 404 error, it presents the various configured contexts as HTML for users to click through to. This produced HTML includes output that contains the configured fully qualified directory base resource location for each context.
CWE-200 Information Exposure

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2020-27216  

In Eclipse Jetty versions 1.0 thru 9.4.32.v20200930, 10.0.0.alpha1 thru 10.0.0.beta2, and 11.0.0.alpha1 thru 11.0.0.beta2O, on Unix like systems, the system's temporary directory is shared between all users on that system. A collocated user can observe the process of creating a temporary sub directory in the shared temporary directory and race to complete the creation of the temporary subdirectory. If the attacker wins the race then they will have read and write permission to the subdirectory used to unpack web applications, including their WEB-INF/lib jar files and JSP files. If any code is ever executed out of this temporary directory, this can lead to a local privilege escalation vulnerability.
NVD-CWE-Other

CVSSv2:
  • Base Score: MEDIUM (4.4)
  • Vector: /AV:L/AC:M/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (7.0)
  • Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2021-28165  

In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame.
CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

CVSSv2:
  • Base Score: HIGH (7.8)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:C
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

spark-core_2.10-2.2.2.jar (shaded: org.eclipse.jetty:jetty-proxy:9.3.11.v20160721)

Description:

Jetty Proxy

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.spark/spark-core_2.10/2.2.2/2029009854ecb422d1ba6dc8135ba9b2be2ad1/spark-core_2.10-2.2.2.jar/META-INF/maven/org.eclipse.jetty/jetty-proxy/pom.xml
MD5: 154cdc797a38914d94263bc568ab24ad
SHA1: 027b6432ceed5c9a130e4362eda5b2ee390a0ecf
SHA256:8f6e128f7347bee311acd750545ca0a1332af4cbf92b81a2c46ae8fe5e1431b8
Referenced In Projects/Scopes:

  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • spark:runtimeClasspath

Identifiers

spark-core_2.10-2.2.2.jar (shaded: org.eclipse.jetty:jetty-security:9.3.11.v20160721)

Description:

Jetty security infrastructure

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.spark/spark-core_2.10/2.2.2/2029009854ecb422d1ba6dc8135ba9b2be2ad1/spark-core_2.10-2.2.2.jar/META-INF/maven/org.eclipse.jetty/jetty-security/pom.xml
MD5: 2162ed280aaddaa7d50aa463cf645494
SHA1: 4c017e6920e5a79e79424445aba656d198e41690
SHA256:c4305e661fca123e5393de1519e1374c3e73a6b1620c4001bd23b78b4446150a
Referenced In Projects/Scopes:

  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • spark:runtimeClasspath

Identifiers

CVE-2017-7656  

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2017-7657  

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling'), CWE-190 Integer Overflow or Wraparound

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2017-7658  

In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2018-12536  

In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually handled by the DefaultServlet's static file serving, the bad characters can trigger a java.nio.file.InvalidPathException which includes the full path to the base resource directory that the DefaultServlet and/or webapp is using. If this InvalidPathException is then handled by the default Error Handler, the InvalidPathException message is included in the error response, revealing the full server path to the requesting system.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2018-12545  

In Eclipse Jetty version 9.3.x and 9.4.x, the server is vulnerable to Denial of Service conditions if a remote client sends either large SETTINGs frames container containing many settings, or many small SETTINGs frames. The vulnerability is due to the additional CPU and memory allocations required to handle changed settings.
CWE-770 Allocation of Resources Without Limits or Throttling

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2019-10241  

In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory contents.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2019-10247  

In Eclipse Jetty version 7.x, 8.x, 9.2.27 and older, 9.3.26 and older, and 9.4.16 and older, the server running on any OS and Jetty version combination will reveal the configured fully qualified directory base resource location on the output of the 404 error for not finding a Context that matches the requested path. The default server behavior on jetty-distribution and jetty-home will include at the end of the Handler tree a DefaultHandler, which is responsible for reporting this 404 error, it presents the various configured contexts as HTML for users to click through to. This produced HTML includes output that contains the configured fully qualified directory base resource location for each context.
CWE-200 Information Exposure

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2020-27216  

In Eclipse Jetty versions 1.0 thru 9.4.32.v20200930, 10.0.0.alpha1 thru 10.0.0.beta2, and 11.0.0.alpha1 thru 11.0.0.beta2O, on Unix like systems, the system's temporary directory is shared between all users on that system. A collocated user can observe the process of creating a temporary sub directory in the shared temporary directory and race to complete the creation of the temporary subdirectory. If the attacker wins the race then they will have read and write permission to the subdirectory used to unpack web applications, including their WEB-INF/lib jar files and JSP files. If any code is ever executed out of this temporary directory, this can lead to a local privilege escalation vulnerability.
NVD-CWE-Other

CVSSv2:
  • Base Score: MEDIUM (4.4)
  • Vector: /AV:L/AC:M/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (7.0)
  • Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2021-28165  

In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame.
CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

CVSSv2:
  • Base Score: HIGH (7.8)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:C
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

spark-core_2.10-2.2.2.jar (shaded: org.eclipse.jetty:jetty-server:9.3.11.v20160721)

Description:

The core jetty server artifact.

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.spark/spark-core_2.10/2.2.2/2029009854ecb422d1ba6dc8135ba9b2be2ad1/spark-core_2.10-2.2.2.jar/META-INF/maven/org.eclipse.jetty/jetty-server/pom.xml
MD5: 6fed40b40a9c6428866a81aba461ce0e
SHA1: f46e25f8f6c4f9ceae22f36bc5836e1ddc7cbd63
SHA256:c89d09095fbad276fa96adb87ddee1d3948b5e171afc2439c05c32f366ae730e
Referenced In Projects/Scopes:

  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • spark:runtimeClasspath

Identifiers

CVE-2017-7656  

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2017-7657  

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling'), CWE-190 Integer Overflow or Wraparound

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2017-7658  

In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2017-9735 (OSSINDEX)  

Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.eclipse.jetty:jetty-server:9.3.11.v20160721:*:*:*:*:*:*:*

CVE-2018-12536  

In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually handled by the DefaultServlet's static file serving, the bad characters can trigger a java.nio.file.InvalidPathException which includes the full path to the base resource directory that the DefaultServlet and/or webapp is using. If this InvalidPathException is then handled by the default Error Handler, the InvalidPathException message is included in the error response, revealing the full server path to the requesting system.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2018-12545  

In Eclipse Jetty version 9.3.x and 9.4.x, the server is vulnerable to Denial of Service conditions if a remote client sends either large SETTINGs frames container containing many settings, or many small SETTINGs frames. The vulnerability is due to the additional CPU and memory allocations required to handle changed settings.
CWE-770 Allocation of Resources Without Limits or Throttling

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2019-10241  

In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory contents.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2019-10247  

In Eclipse Jetty version 7.x, 8.x, 9.2.27 and older, 9.3.26 and older, and 9.4.16 and older, the server running on any OS and Jetty version combination will reveal the configured fully qualified directory base resource location on the output of the 404 error for not finding a Context that matches the requested path. The default server behavior on jetty-distribution and jetty-home will include at the end of the Handler tree a DefaultHandler, which is responsible for reporting this 404 error, it presents the various configured contexts as HTML for users to click through to. This produced HTML includes output that contains the configured fully qualified directory base resource location for each context.
CWE-200 Information Exposure

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2020-27216  

In Eclipse Jetty versions 1.0 thru 9.4.32.v20200930, 10.0.0.alpha1 thru 10.0.0.beta2, and 11.0.0.alpha1 thru 11.0.0.beta2O, on Unix like systems, the system's temporary directory is shared between all users on that system. A collocated user can observe the process of creating a temporary sub directory in the shared temporary directory and race to complete the creation of the temporary subdirectory. If the attacker wins the race then they will have read and write permission to the subdirectory used to unpack web applications, including their WEB-INF/lib jar files and JSP files. If any code is ever executed out of this temporary directory, this can lead to a local privilege escalation vulnerability.
NVD-CWE-Other

CVSSv2:
  • Base Score: MEDIUM (4.4)
  • Vector: /AV:L/AC:M/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (7.0)
  • Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2021-28165  

In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame.
CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

CVSSv2:
  • Base Score: HIGH (7.8)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:C
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

spark-core_2.10-2.2.2.jar (shaded: org.eclipse.jetty:jetty-servlet:9.3.11.v20160721)

Description:

Jetty Servlet Container

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.spark/spark-core_2.10/2.2.2/2029009854ecb422d1ba6dc8135ba9b2be2ad1/spark-core_2.10-2.2.2.jar/META-INF/maven/org.eclipse.jetty/jetty-servlet/pom.xml
MD5: b09a07bb2a8a4dd35885b47444bae2ec
SHA1: 6c1fbbb127738f47e92a9fab48e050eadd162ace
SHA256:956c469d09495e33870ab16f690e469af37714cc5782e4083ae94307d54b88a9
Referenced In Projects/Scopes:

  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • spark:runtimeClasspath

Identifiers

CVE-2017-7656  

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2017-7657  

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling'), CWE-190 Integer Overflow or Wraparound

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2017-7658  

In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2018-12536  

In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually handled by the DefaultServlet's static file serving, the bad characters can trigger a java.nio.file.InvalidPathException which includes the full path to the base resource directory that the DefaultServlet and/or webapp is using. If this InvalidPathException is then handled by the default Error Handler, the InvalidPathException message is included in the error response, revealing the full server path to the requesting system.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2018-12545  

In Eclipse Jetty version 9.3.x and 9.4.x, the server is vulnerable to Denial of Service conditions if a remote client sends either large SETTINGs frames container containing many settings, or many small SETTINGs frames. The vulnerability is due to the additional CPU and memory allocations required to handle changed settings.
CWE-770 Allocation of Resources Without Limits or Throttling

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2019-10241  

In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory contents.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2019-10247  

In Eclipse Jetty version 7.x, 8.x, 9.2.27 and older, 9.3.26 and older, and 9.4.16 and older, the server running on any OS and Jetty version combination will reveal the configured fully qualified directory base resource location on the output of the 404 error for not finding a Context that matches the requested path. The default server behavior on jetty-distribution and jetty-home will include at the end of the Handler tree a DefaultHandler, which is responsible for reporting this 404 error, it presents the various configured contexts as HTML for users to click through to. This produced HTML includes output that contains the configured fully qualified directory base resource location for each context.
CWE-200 Information Exposure

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2020-27216  

In Eclipse Jetty versions 1.0 thru 9.4.32.v20200930, 10.0.0.alpha1 thru 10.0.0.beta2, and 11.0.0.alpha1 thru 11.0.0.beta2O, on Unix like systems, the system's temporary directory is shared between all users on that system. A collocated user can observe the process of creating a temporary sub directory in the shared temporary directory and race to complete the creation of the temporary subdirectory. If the attacker wins the race then they will have read and write permission to the subdirectory used to unpack web applications, including their WEB-INF/lib jar files and JSP files. If any code is ever executed out of this temporary directory, this can lead to a local privilege escalation vulnerability.
NVD-CWE-Other

CVSSv2:
  • Base Score: MEDIUM (4.4)
  • Vector: /AV:L/AC:M/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (7.0)
  • Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2021-28165  

In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame.
CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

CVSSv2:
  • Base Score: HIGH (7.8)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:C
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

spark-core_2.10-2.2.2.jar (shaded: org.eclipse.jetty:jetty-servlets:9.3.11.v20160721)

Description:

Utility Servlets from Jetty

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.spark/spark-core_2.10/2.2.2/2029009854ecb422d1ba6dc8135ba9b2be2ad1/spark-core_2.10-2.2.2.jar/META-INF/maven/org.eclipse.jetty/jetty-servlets/pom.xml
MD5: 2f3cee3e8eac8287b4f4cffaf5119f76
SHA1: a4e5265b5a7924cdda05e470b3f5cc1b1e5c8a87
SHA256:5cf4c6c32d250994bf8226c79f0133d427d0550aef194d14f3cea5f59e171ffb
Referenced In Projects/Scopes:

  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • spark:runtimeClasspath

Identifiers

CVE-2017-7656  

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2017-7657  

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling'), CWE-190 Integer Overflow or Wraparound

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2017-7658  

In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2018-12536  

In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually handled by the DefaultServlet's static file serving, the bad characters can trigger a java.nio.file.InvalidPathException which includes the full path to the base resource directory that the DefaultServlet and/or webapp is using. If this InvalidPathException is then handled by the default Error Handler, the InvalidPathException message is included in the error response, revealing the full server path to the requesting system.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2018-12545  

In Eclipse Jetty version 9.3.x and 9.4.x, the server is vulnerable to Denial of Service conditions if a remote client sends either large SETTINGs frames container containing many settings, or many small SETTINGs frames. The vulnerability is due to the additional CPU and memory allocations required to handle changed settings.
CWE-770 Allocation of Resources Without Limits or Throttling

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2019-10241  

In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory contents.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2019-10247  

In Eclipse Jetty version 7.x, 8.x, 9.2.27 and older, 9.3.26 and older, and 9.4.16 and older, the server running on any OS and Jetty version combination will reveal the configured fully qualified directory base resource location on the output of the 404 error for not finding a Context that matches the requested path. The default server behavior on jetty-distribution and jetty-home will include at the end of the Handler tree a DefaultHandler, which is responsible for reporting this 404 error, it presents the various configured contexts as HTML for users to click through to. This produced HTML includes output that contains the configured fully qualified directory base resource location for each context.
CWE-200 Information Exposure

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2020-27216  

In Eclipse Jetty versions 1.0 thru 9.4.32.v20200930, 10.0.0.alpha1 thru 10.0.0.beta2, and 11.0.0.alpha1 thru 11.0.0.beta2O, on Unix like systems, the system's temporary directory is shared between all users on that system. A collocated user can observe the process of creating a temporary sub directory in the shared temporary directory and race to complete the creation of the temporary subdirectory. If the attacker wins the race then they will have read and write permission to the subdirectory used to unpack web applications, including their WEB-INF/lib jar files and JSP files. If any code is ever executed out of this temporary directory, this can lead to a local privilege escalation vulnerability.
NVD-CWE-Other

CVSSv2:
  • Base Score: MEDIUM (4.4)
  • Vector: /AV:L/AC:M/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (7.0)
  • Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2021-28165  

In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame.
CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

CVSSv2:
  • Base Score: HIGH (7.8)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:C
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

spark-core_2.10-2.2.2.jar (shaded: org.eclipse.jetty:jetty-util:9.3.11.v20160721)

Description:

Utility classes for Jetty

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.spark/spark-core_2.10/2.2.2/2029009854ecb422d1ba6dc8135ba9b2be2ad1/spark-core_2.10-2.2.2.jar/META-INF/maven/org.eclipse.jetty/jetty-util/pom.xml
MD5: b418b4ce2ec43545a4fb88ca31adbb15
SHA1: e721e663c73b89f71812c0416385bb610a6d1767
SHA256:bb3cbd88ecb9433aa04135ce48dbb22a41ac6897905d12277d548c22b06a8390
Referenced In Projects/Scopes:

  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • spark:runtimeClasspath

Identifiers

CVE-2017-7656  

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2017-7657  

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling'), CWE-190 Integer Overflow or Wraparound

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2017-7658  

In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2018-12536  

In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually handled by the DefaultServlet's static file serving, the bad characters can trigger a java.nio.file.InvalidPathException which includes the full path to the base resource directory that the DefaultServlet and/or webapp is using. If this InvalidPathException is then handled by the default Error Handler, the InvalidPathException message is included in the error response, revealing the full server path to the requesting system.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2018-12545  

In Eclipse Jetty version 9.3.x and 9.4.x, the server is vulnerable to Denial of Service conditions if a remote client sends either large SETTINGs frames container containing many settings, or many small SETTINGs frames. The vulnerability is due to the additional CPU and memory allocations required to handle changed settings.
CWE-770 Allocation of Resources Without Limits or Throttling

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2019-10241  

In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory contents.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2019-10247  

In Eclipse Jetty version 7.x, 8.x, 9.2.27 and older, 9.3.26 and older, and 9.4.16 and older, the server running on any OS and Jetty version combination will reveal the configured fully qualified directory base resource location on the output of the 404 error for not finding a Context that matches the requested path. The default server behavior on jetty-distribution and jetty-home will include at the end of the Handler tree a DefaultHandler, which is responsible for reporting this 404 error, it presents the various configured contexts as HTML for users to click through to. This produced HTML includes output that contains the configured fully qualified directory base resource location for each context.
CWE-200 Information Exposure

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2020-27216  

In Eclipse Jetty versions 1.0 thru 9.4.32.v20200930, 10.0.0.alpha1 thru 10.0.0.beta2, and 11.0.0.alpha1 thru 11.0.0.beta2O, on Unix like systems, the system's temporary directory is shared between all users on that system. A collocated user can observe the process of creating a temporary sub directory in the shared temporary directory and race to complete the creation of the temporary subdirectory. If the attacker wins the race then they will have read and write permission to the subdirectory used to unpack web applications, including their WEB-INF/lib jar files and JSP files. If any code is ever executed out of this temporary directory, this can lead to a local privilege escalation vulnerability.
NVD-CWE-Other

CVSSv2:
  • Base Score: MEDIUM (4.4)
  • Vector: /AV:L/AC:M/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (7.0)
  • Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2021-28165  

In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame.
CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

CVSSv2:
  • Base Score: HIGH (7.8)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:C
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

spark-core_2.10-2.2.2.jar: additional-metrics.js

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.spark/spark-core_2.10/2.2.2/2029009854ecb422d1ba6dc8135ba9b2be2ad1/spark-core_2.10-2.2.2.jar/org/apache/spark/ui/static/additional-metrics.js
MD5: 7fa27b76aeb0681abb2e6fe720669bae
SHA1: 7eb83bced737a22b17115be924b4400b444fdbda
SHA256:c40ff9923a081ba6fcfb125db5237d7e50a03198cae783c2b6aed8abbf8a5eed
Referenced In Projects/Scopes:

  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • spark:runtimeClasspath

Identifiers

  • None

spark-core_2.10-2.2.2.jar: bootstrap-tooltip.js

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.spark/spark-core_2.10/2.2.2/2029009854ecb422d1ba6dc8135ba9b2be2ad1/spark-core_2.10-2.2.2.jar/org/apache/spark/ui/static/bootstrap-tooltip.js
MD5: 709947628312aa8a4abaaf4e164c4f2c
SHA1: f4497d890717ded6be81af60dc211dd5528be2bd
SHA256:7b4898d4fe0ee9e363ded6e1fd5ea1302c400ccd35590b863c9c7d95de71a652
Referenced In Projects/Scopes:

  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • spark:runtimeClasspath

Identifiers

  • None

spark-core_2.10-2.2.2.jar: d3.min.js

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.spark/spark-core_2.10/2.2.2/2029009854ecb422d1ba6dc8135ba9b2be2ad1/spark-core_2.10-2.2.2.jar/org/apache/spark/ui/static/d3.min.js
MD5: e1b9f89cc778a8c619cde3aea8b6f9d4
SHA1: 71188357fc005e40125b0ad76586c1f4bd53cffd
SHA256:3d4c7c277efd3bb019ed0aba5d2dfbe575ded9b9055b842997774bee02f2b76a
Referenced In Projects/Scopes:

  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • spark:runtimeClasspath

Identifiers

  • None

spark-core_2.10-2.2.2.jar: dagre-d3.min.js

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.spark/spark-core_2.10/2.2.2/2029009854ecb422d1ba6dc8135ba9b2be2ad1/spark-core_2.10-2.2.2.jar/org/apache/spark/ui/static/dagre-d3.min.js
MD5: 2a602f00fd01dc07a0cb4def2f19850f
SHA1: f7552c9cb333c9dfc81c01149f7c321ed95ae0ef
SHA256:f38a54a35b59d44f359e1ecdbccc457ebae3f37c5448fc007107081d518144a3
Referenced In Projects/Scopes:

  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • spark:runtimeClasspath

Identifiers

  • None

spark-core_2.10-2.2.2.jar: dataTables.bootstrap.min.js

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.spark/spark-core_2.10/2.2.2/2029009854ecb422d1ba6dc8135ba9b2be2ad1/spark-core_2.10-2.2.2.jar/org/apache/spark/ui/static/dataTables.bootstrap.min.js
MD5: 0b47c89e21f255c1dd714c4acf7ff89c
SHA1: a66a9406643303fc2a33d53ab773e0a76ad49f5a
SHA256:a905062b971bfb70ba70dda1a454d9cb7f7389be7ff515f6eb9009c8e697a34b
Referenced In Projects/Scopes:

  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • spark:runtimeClasspath

Identifiers

  • None

spark-core_2.10-2.2.2.jar: dataTables.rowsGroup.js

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.spark/spark-core_2.10/2.2.2/2029009854ecb422d1ba6dc8135ba9b2be2ad1/spark-core_2.10-2.2.2.jar/org/apache/spark/ui/static/dataTables.rowsGroup.js
MD5: 9473e0a904f35fdf0110d912d16d5fb7
SHA1: 195a59175be1992aab636c5c641b405ba0283581
SHA256:5856c937e4fe8a921364a14de58f406788db336ed9066b3aed897c0ced755c42
Referenced In Projects/Scopes:

  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • spark:runtimeClasspath

Identifiers

  • None

spark-core_2.10-2.2.2.jar: executorspage.js

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.spark/spark-core_2.10/2.2.2/2029009854ecb422d1ba6dc8135ba9b2be2ad1/spark-core_2.10-2.2.2.jar/org/apache/spark/ui/static/executorspage.js
MD5: 724bce5b2c0eecddb64d378a5b732052
SHA1: 13cc5ea43ee83acc80112605a108598fdb60fea2
SHA256:f0bbcb84cf1cab33248618670ecc265ed14d13c5138e7aa71793a70d002dace3
Referenced In Projects/Scopes:

  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • spark:runtimeClasspath

Identifiers

  • None

spark-core_2.10-2.2.2.jar: graphlib-dot.min.js

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.spark/spark-core_2.10/2.2.2/2029009854ecb422d1ba6dc8135ba9b2be2ad1/spark-core_2.10-2.2.2.jar/org/apache/spark/ui/static/graphlib-dot.min.js
MD5: 4c5ef7d11656cbc9c5efa082c2cc171a
SHA1: 197289ce3c78118bdeae5f312f97ed2b76cbd367
SHA256:668584b1ed5fe082dc65c895d7cf4b4b3f0868758b1bdbaf056905418594a556
Referenced In Projects/Scopes:

  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • spark:runtimeClasspath

Identifiers

  • None

spark-core_2.10-2.2.2.jar: historypage-common.js

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.spark/spark-core_2.10/2.2.2/2029009854ecb422d1ba6dc8135ba9b2be2ad1/spark-core_2.10-2.2.2.jar/org/apache/spark/ui/static/historypage-common.js
MD5: 9a706318dfcf6b9877637077cdcbceb7
SHA1: 93cb55a455d6bd69ef527bd5ec118478c1e59406
SHA256:d031ee99e77b772f4e2396b8b91580dc7827f63de188512543938308cc60ec13
Referenced In Projects/Scopes:

  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • spark:runtimeClasspath

Identifiers

  • None

spark-core_2.10-2.2.2.jar: historypage.js

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.spark/spark-core_2.10/2.2.2/2029009854ecb422d1ba6dc8135ba9b2be2ad1/spark-core_2.10-2.2.2.jar/org/apache/spark/ui/static/historypage.js
MD5: 4baeffb4082f8ba5df50a1c8e7b8de69
SHA1: e57278c446c784ea868cb99bb541854eb19009a4
SHA256:97e4dba4f48b8f6424c3d6638f4f51fc0d8b99c277d2dca87c09f10c6581d9af
Referenced In Projects/Scopes:

  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • spark:runtimeClasspath

Identifiers

  • None

spark-core_2.10-2.2.2.jar: initialize-tooltips.js

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.spark/spark-core_2.10/2.2.2/2029009854ecb422d1ba6dc8135ba9b2be2ad1/spark-core_2.10-2.2.2.jar/org/apache/spark/ui/static/initialize-tooltips.js
MD5: a7d09087f6ad4fb363268e35875c039d
SHA1: 5a3e6fade32d14c4607fabd6c3c687055aeb83d2
SHA256:a1accf33abb4abb4a65359b042db1c6afd92e437aa7cd08cb914590f5dd92c88
Referenced In Projects/Scopes:

  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • spark:runtimeClasspath

Identifiers

  • None

spark-core_2.10-2.2.2.jar: jquery-1.11.1.min.js

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.spark/spark-core_2.10/2.2.2/2029009854ecb422d1ba6dc8135ba9b2be2ad1/spark-core_2.10-2.2.2.jar/org/apache/spark/ui/static/jquery-1.11.1.min.js
MD5: 8101d596b2b8fa35fe3a634ea342d7c3
SHA1: d6c1f41972de07b09bfa63d2e50f9ab41ec372bd
SHA256:540bc6dec1dd4b92ea4d3fb903f69eabf6d919afd48f4e312b163c28cff0f441
Referenced In Projects/Scopes:

  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • spark:runtimeClasspath

Identifiers

CVE-2015-9251  

jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions (NVD):

  • cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:* versions from (including) 8.0.0; versions up to (including) 8.0.7
  • cpe:2.3:a:oracle:communications_webrtc_session_controller:*:*:*:*:*:*:*:* versions up to (excluding) 7.2
  • cpe:2.3:a:oracle:banking_platform:2.6.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:hospitality_guest_access:4.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:oss_support_tools:19.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.55:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:fusion_middleware_mapviewer:12.2.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_unifier:16.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_customer_insights:16.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:business_process_management_suite:12.1.3.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_hedge_management_and_ifrs_valuations:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7
  • cpe:2.3:a:oracle:business_process_management_suite:12.2.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:jquery:jquery:*:*:*:*:*:*:*:* versions up to (excluding) 3.0.0
  • cpe:2.3:a:oracle:endeca_information_discovery_studio:3.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:endeca_information_discovery_studio:3.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_platform:2.6.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_workforce_management_software:1.60.9:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:* versions from (including) 7.3.3; versions up to (including) 7.3.5
  • cpe:2.3:a:oracle:communications_converged_application_server:*:*:*:*:*:*:*:* versions up to (excluding) 7.0.0.1
  • cpe:2.3:a:oracle:healthcare_foundation:7.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_gateway:17.12:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_liquidity_risk_management:*:*:*:*:*:*:*:* versions from (including) 8.0.2; versions up to (including) 8.0.6
  • cpe:2.3:a:oracle:retail_allocation:15.0.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:business_process_management_suite:11.1.1.9.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jdeveloper:12.1.3.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:* versions from (including) 17.1; versions up to (including) 17.12
  • cpe:2.3:a:oracle:enterprise_manager_ops_center:12.3.3:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:hospitality_guest_access:4.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_gateway:16.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_services_gatekeeper:*:*:*:*:*:*:*:* versions up to (excluding) 6.1.0.4.0
  • cpe:2.3:a:oracle:hospitality_cruise_fleet_management:9.0.11:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:hospitality_materials_control:18.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:utilities_mobile_workforce_management:2.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:utilities_framework:*:*:*:*:*:*:*:* versions from (including) 4.3.0.1; versions up to (including) 4.3.0.4
  • cpe:2.3:a:oracle:retail_sales_audit:15.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_interactive_session_recorder:6.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:healthcare_translational_research:3.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:enterprise_operations_monitor:4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_reconciliation_framework:8.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_funds_transfer_pricing:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7
  • cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_loan_loss_forecasting_and_provisioning:*:*:*:*:*:*:*:* versions from (including) 8.0.2; versions up to (including) 8.0.7
  • cpe:2.3:a:oracle:retail_customer_insights:15.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:webcenter_sites:11.1.1.8.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:healthcare_foundation:7.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_gateway:15.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:service_bus:12.2.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:enterprise_operations_monitor:3.4:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:service_bus:12.1.3.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.3.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:hospitality_reporting_and_analytics:9.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jdeveloper:12.2.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:enterprise_manager_ops_center:12.2.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:real-time_scheduler:2.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_invoice_matching:15.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_platform:2.6.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_asset_liability_management:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7
  • cpe:2.3:a:oracle:primavera_unifier:16.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_data_integration_hub:*:*:*:*:*:*:*:* versions from (including) 8.0.5; versions up to (including) 8.0.7
  • cpe:2.3:a:oracle:weblogic_server:12.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_reconciliation_framework:8.0.5:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.5:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_unifier:18.8:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:weblogic_server:12.2.1.3:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_workforce_management_software:1.64.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:5.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:siebel_ui_framework:18.10:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_interactive_session_recorder:6.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:5.5:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.56:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jdeveloper:11.1.1.9.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_profitability_management:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.6
  • cpe:2.3:a:oracle:siebel_ui_framework:18.11:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_interactive_session_recorder:6.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:5.4:*:*:*:*:*:*:*

CVE-2019-11358  

jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions (NVD):

  • cpe:2.3:a:oracle:financial_services_liquidity_risk_management:8.0.5.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_billing_and_revenue_management:7.5:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:* versions from (including) 8.0.2; versions up to (including) 8.1.0
  • cpe:2.3:a:oracle:healthcare_translational_research:3.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_data_foundation:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.8
  • cpe:2.3:a:oracle:jdeveloper_and_adf:12.1.3.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_element_manager:8.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.55:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_unifier:16.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:19.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:bi_publisher:12.2.1.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_customer_insights:16.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:siebel_ui_framework:20.8:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_digital_experience:18.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jdeveloper_and_adf:12.2.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:redhat:virtualization_manager:4.3:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:application_express:*:*:*:*:*:*:*:* versions up to (excluding) 19.1
  • cpe:2.3:a:oracle:application_testing_suite:13.1.0.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from (including) 19.12.0; versions up to (including) 19.12.4
  • cpe:2.3:a:oracle:healthcare_foundation:7.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:* versions from (including) 17.7; versions up to (including) 17.12
  • cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:diagnostic_assistant:2.12.36:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_session_report_manager:8.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:policy_automation:10.4.7:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:knowledge:*:*:*:*:*:*:*:* versions from (including) 8.6.0; versions up to (including) 8.6.3
  • cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_basic:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7
  • cpe:2.3:a:oracle:banking_digital_experience:18.3:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_liquidity_risk_management:8.0.0.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:healthcare_foundation:7.2.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_regulatory_reporting_for_de_nederlandsche_bank:8.0.4:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_operations_monitor:4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:healthcare_translational_research:3.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:transportation_management:1.4.3:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_loan_loss_forecasting_and_provisioning:*:*:*:*:*:*:*:* versions from (including) 8.0.2; versions up to (including) 8.0.7
  • cpe:2.3:a:redhat:cloudforms:4.7:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_revenue_management_and_billing:2.4.0.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:insurance_ifrs_17_analyzer:8.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:application_service_level_management:13.2.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:service_bus:12.2.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_liquidity_risk_management:8.0.4.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:service_bus:12.1.3.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_operations_monitor:3.4:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:rest_data_services:12.2.0.1:*:*:*:-:*:*:*
  • cpe:2.3:a:oracle:financial_services_asset_liability_management:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7
  • cpe:2.3:a:oracle:application_testing_suite:13.3:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_session_route_manager:8.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.5:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_unifier:18.8:*:*:*:*:*:*:*
  • cpe:2.3:a:backdropcms:backdrop:*:*:*:*:*:*:*:* versions from (including) 1.11.0; versions up to (excluding) 1.11.9
  • cpe:2.3:a:oracle:real-time_scheduler:*:*:*:*:*:*:*:* versions from (including) 2.3.0.1; versions up to (including) 2.3.0.3
  • cpe:2.3:a:oracle:jdeveloper_and_adf:11.1.1.9.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_retail_customer_analytics:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.6
  • cpe:2.3:a:oracle:service_bus:11.1.1.9.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:weblogic_server:12.1.3.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_liquidity_risk_measurement_and_management:8.0.8:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_digital_experience:19.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:healthcare_foundation:7.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:business_process_management_suite:12.2.1.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_central_office:14.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_regulatory_reporting_for_european_banking_authority:8.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_returns_management:14.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_regulatory_reporting_for_european_banking_authority:8.0.7:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_internal_ratings_based_approach:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7
  • cpe:2.3:a:oracle:enterprise_manager_ops_center:12.4.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_profitability_management:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_institutional_performance_analytics:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7
  • cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:*:*:*:*:*:*:*:* versions from (including) 5.0.0.0; versions up to (including) 5.6.0.0
  • cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_analytical_applications_reconciliation_framework:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7
  • cpe:2.3:a:oracle:communications_application_session_controller:3.8m0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:business_process_management_suite:12.2.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_diameter_signaling_router:8.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_session_report_manager:8.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:* versions from (including) 7.3.3; versions up to (including) 7.3.5
  • cpe:2.3:a:oracle:financial_services_price_creation_and_discovery:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7
  • cpe:2.3:a:oracle:rest_data_services:18c:*:*:*:-:*:*:*
  • cpe:2.3:a:oracle:communications_session_report_manager:8.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:18.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:enterprise_manager_ops_center:12.3.3:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_enterprise_financial_performance_analytics:8.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_analytics:12.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_liquidity_risk_measurement_and_management:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:hospitality_guest_access:4.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_point-of-service:14.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_retail_performance_analytics:8.0.7:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:policy_automation:12.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:hospitality_materials_control:18.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:5.6.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_billing_and_revenue_management:7.5.0.23.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_unified_inventory_management:7.3:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_funds_transfer_pricing:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7
  • cpe:2.3:a:oracle:retail_back_office:14.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:rest_data_services:12.1.0.2:*:*:*:-:*:*:*
  • cpe:2.3:a:oracle:healthcare_translational_research:3.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:policy_automation_connector_for_siebel:10.4.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:hospitality_simphony:*:*:*:*:*:*:*:* versions from (including) 19.1.0; versions up to (including) 19.1.2
  • cpe:2.3:a:oracle:policy_automation_for_mobile_devices:*:*:*:*:*:*:*:* versions from (including) 12.2.0; versions up to (including) 12.2.15
  • cpe:2.3:a:oracle:hospitality_simphony:18.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_unifier:16.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:application_service_level_management:13.3.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:application_testing_suite:13.2.0.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:webcenter_sites:12.2.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 8.6.0; versions up to (excluding) 8.6.15
  • cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:healthcare_translational_research:3.3.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.56:*:*:*:*:*:*:*
  • cpe:2.3:a:jquery:jquery:*:*:*:*:*:*:*:* versions up to (excluding) 3.4.0
  • cpe:2.3:a:oracle:communications_interactive_session_recorder:*:*:*:*:*:*:*:* versions from (including) 6.0; versions up to (including) 6.4
  • cpe:2.3:a:oracle:communications_session_route_manager:8.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_diameter_signaling_router:8.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_loan_loss_forecasting_and_provisioning:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_digital_experience:18.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_hedge_management_and_ifrs_valuations:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7
  • cpe:2.3:a:oracle:financial_services_data_integration_hub:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_element_manager:8.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:application_testing_suite:12.5.0.3:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:policy_automation:12.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:application_testing_suite:13.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_operations_monitor:4.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_diameter_signaling_router:8.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:storagetek_tape_analytics_sw_tool:2.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:insurance_performance_insight:8.0.7:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_platform:*:*:*:*:*:*:*:* versions from (including) 2.4.0; versions up to (including) 2.10.0
  • cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from (including) 16.2.0; versions up to (including) 16.2.11
  • cpe:2.3:a:oracle:communications_billing_and_revenue_management:12.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from (including) 17.12.0; versions up to (including) 17.12.7
  • cpe:2.3:a:oracle:jdeveloper:12.2.1.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_point-of-service:14.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_enterprise_financial_performance_analytics:8.0.7:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:rest_data_services:11.2.0.4:*:*:*:-:*:*:*
  • cpe:2.3:a:oracle:insurance_allocation_manager_for_enterprise_profitability:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:policy_automation:*:*:*:*:*:*:*:* versions from (including) 12.2.0; versions up to (including) 12.2.15
  • cpe:2.3:a:oracle:retail_customer_insights:15.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_profitability_management:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7
  • cpe:2.3:a:oracle:big_data_discovery:1.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:insurance_ifrs_17_analyzer:8.0.7:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_liquidity_risk_measurement_and_management:8.0.7:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.8:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:insurance_allocation_manager_for_enterprise_profitability:8.0.8:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_data_governance_for_us_regulatory_reporting:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.0.9
  • cpe:2.3:a:oracle:weblogic_server:10.3.6.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_enterprise_collections:*:*:*:*:*:*:*:* versions from (including) 2.7.0; versions up to (including) 2.8.0
  • cpe:2.3:a:oracle:system_utilities:19.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_digital_experience:20.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:tape_library_acsls:8.5.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:healthcare_foundation:7.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_revenue_management_and_billing:2.4.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from (including) 18.8.0; versions up to (including) 18.8.9
  • cpe:2.3:a:oracle:retail_returns_management:14.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:application_testing_suite:13.3.0.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_basic:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_digital_experience:19.1:*:*:*:*:*:*:*
  • cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 7.0; versions up to (excluding) 7.66
  • cpe:2.3:a:oracle:rest_data_services:19c:*:*:*:-:*:*:*
  • cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_central_office:14.1:*:*:*:*:*:*:*
  • cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 8.5.0; versions up to (excluding) 8.5.15
  • cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:insurance_data_foundation:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7
  • cpe:2.3:a:netapp:oncommand_system_manager:*:*:*:*:*:*:*:* versions from (including) 3.0; versions up to (including) 3.1.3
  • cpe:2.3:a:oracle:hospitality_guest_access:4.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:fusion_middleware_mapviewer:12.2.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:enterprise_session_border_controller:8.4:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_funds_transfer_pricing:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:insurance_accounting_analyzer:8.0.9:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_retail_performance_analytics:8.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_session_route_manager:8.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_diameter_signaling_router:8.2:*:*:*:*:*:*:*
  • cpe:2.3:a:backdropcms:backdrop:*:*:*:*:*:*:*:* versions from (including) 1.12.0; versions up to (excluding) 1.12.6
  • cpe:2.3:a:oracle:communications_element_manager:8.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_gateway:15.2.18:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_regulatory_reporting_for_us_federal_reserve:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7
  • cpe:2.3:a:oracle:financial_services_liquidity_risk_management:8.0.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_analytical_applications_reconciliation_framework:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_webrtc_session_controller:7.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:enterprise_manager_ops_center:12.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_asset_liability_management:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:hospitality_simphony:18.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_hedge_management_and_ifrs_valuations:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_institutional_performance_analytics:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jdeveloper:12.2.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_balance_sheet_planning:8.0.8:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_data_integration_hub:*:*:*:*:*:*:*:* versions from (including) 8.0.5; versions up to (including) 8.0.7
  • cpe:2.3:a:oracle:communications_operations_monitor:*:*:*:*:*:*:*:* versions from (including) 4.1; versions up to (including) 4.3
  • cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_billing_and_revenue_management:12.0.0.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_internal_ratings_based_approach:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:bi_publisher:5.5.0.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:bi_publisher:12.2.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_liquidity_risk_management:8.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:opensuse:backports_sle:15.0:sp1:*:*:*:*:*:*
  • cpe:2.3:a:oracle:tape_library_acsls:8.5:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:siebel_mobile_applications:*:*:*:*:*:*:*:* versions up to (including) 19.8
  • cpe:2.3:a:oracle:retail_back_office:14.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jdeveloper:11.1.1.9.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:healthcare_translational_research:3.3.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:utilities_mobile_workforce_management:*:*:*:*:*:*:*:* versions from (including) 2.3.0.1; versions up to (including) 2.3.0.3

CVE-2020-11022  

In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions (NVD):

  • cpe:2.3:a:oracle:financial_services_price_creation_and_discovery:8.0.7:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:agile_product_supplier_collaboration_for_process:6.2.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_loan_loss_forecasting_and_provisioning:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:19.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:siebel_ui_framework:20.8:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_digital_experience:18.2:*:*:*:*:*:*:*
  • cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_digital_experience:18.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_data_integration_hub:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_regulatory_reporting_for_european_banking_authority:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.1.0
  • cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 8.8.0; versions up to (excluding) 8.8.6
  • cpe:2.3:a:oracle:financial_services_price_creation_and_discovery:8.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:healthcare_foundation:7.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_institutional_performance_analytics:8.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_profitability_management:8.0.7:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jdeveloper:12.2.1.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_institutional_performance_analytics:8.0.7:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_profitability_management:8.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_digital_experience:18.3:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:insurance_allocation_manager_for_enterprise_profitability:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_asset_liability_management:8.0.7:*:*:*:*:*:*:*
  • cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 7.0; versions up to (excluding) 7.70
  • cpe:2.3:a:oracle:policy_automation_for_mobile_devices:*:*:*:*:*:*:*:* versions from (including) 12.2.0; versions up to (including) 12.2.20
  • cpe:2.3:a:oracle:financial_services_liquidity_risk_measurement_and_management:8.0.7:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.8:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:insurance_allocation_manager_for_enterprise_profitability:8.0.8:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_data_governance_for_us_regulatory_reporting:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.0.9
  • cpe:2.3:a:oracle:weblogic_server:10.3.6.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_digital_experience:20.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:healthcare_foundation:7.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_analytical_applications_reconciliation_framework:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.0.8
  • cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_internal_ratings_based_approach:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.0.8
  • cpe:2.3:a:oracle:retail_returns_management:14.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:weblogic_server:12.1.3.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_liquidity_risk_measurement_and_management:8.0.8:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_digital_experience:19.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:healthcare_foundation:7.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:application_testing_suite:13.3.0.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:* versions from (including) 8.0.6.0.0; versions up to (including) 8.1.0.0.0
  • cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_basic:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_digital_experience:19.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_returns_management:14.0:*:*:*:*:*:*:*
  • cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:*:*:*
  • cpe:2.3:a:netapp:snap_creator_framework:-:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:enterprise_manager_ops_center:12.4.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_regulatory_reporting_for_us_federal_reserve:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.0.9
  • cpe:2.3:a:oracle:financial_services_profitability_management:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:*:*:*:*:*:*:*:* versions from (including) 5.0.0.0; versions up to (including) 5.6.0.0
  • cpe:2.3:a:netapp:max_data:-:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:insurance_data_foundation:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.1.0
  • cpe:2.3:a:netapp:oncommand_system_manager:*:*:*:*:*:*:*:* versions from (including) 3.0; versions up to (including) 3.1.3
  • cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:enterprise_session_border_controller:8.4:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:healthcare_foundation:7.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_funds_transfer_pricing:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_application_session_controller:3.8m0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_basic:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.0.8
  • cpe:2.3:a:oracle:insurance_accounting_analyzer:8.0.9:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_hedge_management_and_ifrs_valuations:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.0.8
  • cpe:2.3:a:oracle:financial_services_liquidity_risk_measurement_and_management:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_asset_liability_management:8.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:hospitality_materials_control:18.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:5.6.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_billing_and_revenue_management:7.5.0.23.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:policy_automation:*:*:*:*:*:*:*:* versions from (including) 12.2.0; versions up to (including) 12.2.20
  • cpe:2.3:a:oracle:communications_diameter_signaling_router_idih\::*:*:*:*:*:*:*:* versions from (including) 8.0.0; versions up to (including) 8.2.2
  • cpe:2.3:a:oracle:financial_services_funds_transfer_pricing:8.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_analytical_applications_reconciliation_framework:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_back_office:14.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_webrtc_session_controller:7.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:policy_automation_connector_for_siebel:10.4.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_asset_liability_management:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:hospitality_simphony:*:*:*:*:*:*:*:* versions from (including) 19.1.0; versions up to (including) 19.1.2
  • cpe:2.3:a:oracle:hospitality_simphony:18.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_hedge_management_and_ifrs_valuations:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_institutional_performance_analytics:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jdeveloper:12.2.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_balance_sheet_planning:8.0.8:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_loan_loss_forecasting_and_provisioning:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.0.8
  • cpe:2.3:a:oracle:hospitality_simphony:18.2:*:*:*:*:*:*:*
  • cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 8.7.0; versions up to (excluding) 8.7.14
  • cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_billing_and_revenue_management:12.0.0.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_funds_transfer_pricing:8.0.7:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_internal_ratings_based_approach:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_liquidity_risk_management:8.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.56:*:*:*:*:*:*:*
  • cpe:2.3:a:jquery:jquery:*:*:*:*:*:*:*:* versions from (including) 1.2; versions up to (excluding) 3.5.0
  • cpe:2.3:a:oracle:financial_services_data_integration_hub:8.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_back_office:14.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jdeveloper:11.1.1.9.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_data_integration_hub:8.0.7:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_data_foundation:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.1.0

CVE-2020-11023  

In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing <option> elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions (NVD):

  • cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:healthcare_translational_research:3.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_element_manager:8.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:netapp:max_data:-:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_session_route_manager:8.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:netapp:oncommand_system_manager:*:*:*:*:*:*:*:* versions from (including) 3.0; versions up to (including) 3.1.3
  • cpe:2.3:a:netapp:snapcenter_server:-:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jd_edwards_enterpriseone_orchestrator:*:*:*:*:*:*:*:* versions up to (excluding) 9.2.5.0
  • cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:siebel_mobile:*:*:*:*:*:*:*:* versions up to (including) 20.12
  • cpe:2.3:a:oracle:hyperion_financial_reporting:11.1.2.4:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_session_report_manager:8.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_element_manager:8.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 8.8.0; versions up to (excluding) 8.8.6
  • cpe:2.3:a:oracle:communications_session_route_manager:8.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from (including) 16.2; versions up to (including) 16.2.11
  • cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from (including) 19.12.0; versions up to (including) 19.12.4
  • cpe:2.3:a:oracle:rest_data_services:18c:*:*:*:-:*:*:*
  • cpe:2.3:a:oracle:communications_element_manager:8.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_session_report_manager:8.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_platform:*:*:*:*:*:*:*:* versions from (including) 2.4.0; versions up to (including) 2.10.0
  • cpe:2.3:a:oracle:communications_analytics:12.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_session_report_manager:8.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from (including) 17.12.0; versions up to (including) 17.12.7
  • cpe:2.3:a:jquery:jquery:*:*:*:*:*:*:*:* versions from (including) 1.0.3; versions up to (excluding) 3.5.0
  • cpe:2.3:a:oracle:rest_data_services:11.2.0.4:*:*:*:-:*:*:*
  • cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:*:*:*:*:*:*:*:* versions up to (excluding) 9.2.5.0
  • cpe:2.3:a:oracle:financial_services_regulatory_reporting_for_de_nederlandsche_bank:8.0.4:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:storagetek_tape_analytics_sw_tool:2.3.1:*:*:*:*:*:*:*
  • cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 7.0; versions up to (excluding) 7.70
  • cpe:2.3:a:oracle:rest_data_services:12.1.0.2:*:*:*:-:*:*:*
  • cpe:2.3:a:oracle:healthcare_translational_research:3.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_operations_monitor:3.4:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:rest_data_services:12.2.0.1:*:*:*:-:*:*:*
  • cpe:2.3:a:oracle:banking_enterprise_collections:*:*:*:*:*:*:*:* versions from (including) 2.7.0; versions up to (including) 2.8.0
  • cpe:2.3:a:oracle:communications_session_route_manager:8.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 8.7.0; versions up to (excluding) 8.7.14
  • cpe:2.3:a:oracle:communications_operations_monitor:*:*:*:*:*:*:*:* versions from (including) 4.1; versions up to (including) 4.3
  • cpe:2.3:a:oracle:webcenter_sites:12.2.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:webcenter_sites:12.2.1.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:peoplesoft_enterprise_human_capital_management_resources:9.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from (including) 18.8.0; versions up to (including) 18.8.9
  • cpe:2.3:a:oracle:weblogic_server:12.1.3.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:healthcare_translational_research:3.3.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:application_express:*:*:*:*:*:*:*:* versions up to (excluding) 20.2
  • cpe:2.3:a:oracle:application_testing_suite:13.3.0.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:healthcare_translational_research:3.3.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_interactive_session_recorder:*:*:*:*:*:*:*:* versions from (including) 6.1; versions up to (including) 6.4
  • cpe:2.3:a:oracle:rest_data_services:19c:*:*:*:-:*:*:*
  • cpe:2.3:a:netapp:snap_creator_framework:-:*:*:*:*:*:*:*

spark-core_2.10-2.2.2.jar: jquery.blockUI.min.js

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.spark/spark-core_2.10/2.2.2/2029009854ecb422d1ba6dc8135ba9b2be2ad1/spark-core_2.10-2.2.2.jar/org/apache/spark/ui/static/jquery.blockUI.min.js
MD5: d8199c4bdb9f8a6bdfb27f3e3e4d1385
SHA1: 2accb3541d62d724734aa65cbb7a8f6dc959b00e
SHA256:5b6f08f589840a27b74ec78944a46aa55e58812a99c5aa634aed6b45041a1761
Referenced In Projects/Scopes:

  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • spark:runtimeClasspath

Identifiers

  • None

spark-core_2.10-2.2.2.jar: jquery.cookies.2.2.0.min.js

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.spark/spark-core_2.10/2.2.2/2029009854ecb422d1ba6dc8135ba9b2be2ad1/spark-core_2.10-2.2.2.jar/org/apache/spark/ui/static/jquery.cookies.2.2.0.min.js
MD5: 03b9574487d06f8f8513f95758c7cab3
SHA1: 90a61ac9835905ebec2bb1499dd0b0de894f8045
SHA256:10fdbfbb18a947e7024457f52fd2dfe94ebddd612156c886731474b02aa45d23
Referenced In Projects/Scopes:

  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • spark:runtimeClasspath

Identifiers

  • None

spark-core_2.10-2.2.2.jar: jquery.dataTables.1.10.4.min.js

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.spark/spark-core_2.10/2.2.2/2029009854ecb422d1ba6dc8135ba9b2be2ad1/spark-core_2.10-2.2.2.jar/org/apache/spark/ui/static/jquery.dataTables.1.10.4.min.js
MD5: 6eb613493f10a4bf9f11863e79aded88
SHA1: 31393b03e8b31b3d77dbc824d2eca935492c041e
SHA256:e16d5c26379abd4f6dedb8fbe42db785b3170613f31d709352d8aa54b743ca9f
Referenced In Projects/Scopes:

  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • spark:runtimeClasspath

Identifiers

  • None

spark-core_2.10-2.2.2.jar: jquery.mustache.js

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.spark/spark-core_2.10/2.2.2/2029009854ecb422d1ba6dc8135ba9b2be2ad1/spark-core_2.10-2.2.2.jar/org/apache/spark/ui/static/jquery.mustache.js
MD5: 148abb4a8b728e5c7b92106904277e78
SHA1: 16102aa3b01a5f6b18f500df8c6de53374838f76
SHA256:370a5ba97e24ac11723727ad83a00b821c9d0f1a1729b85537bb18b67bc70255
Referenced In Projects/Scopes:

  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • spark:runtimeClasspath

Identifiers

mustache.js bug: pull request 530 (RETIREJS)  

weakness in HTML escaping
Unscored:
  • Severity: medium

References:

spark-core_2.10-2.2.2.jar: jsonFormatter.min.js

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.spark/spark-core_2.10/2.2.2/2029009854ecb422d1ba6dc8135ba9b2be2ad1/spark-core_2.10-2.2.2.jar/org/apache/spark/ui/static/jsonFormatter.min.js
MD5: beca83ee888fc4e974d0069b5e94b6ea
SHA1: 0795631699a4d227e3cf13398792d54c0f4e4eb2
SHA256:182aaeba495cc66257d9c46ea68df28139bd6f02eb97695341ef4dae69dd0539
Referenced In Projects/Scopes:

  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • spark:runtimeClasspath

Identifiers

  • None

spark-core_2.10-2.2.2.jar: log-view.js

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.spark/spark-core_2.10/2.2.2/2029009854ecb422d1ba6dc8135ba9b2be2ad1/spark-core_2.10-2.2.2.jar/org/apache/spark/ui/static/log-view.js
MD5: efe8661ce20a440c0cef49fd2065a619
SHA1: 209be33395581d7910508e7d5fbcf34128276410
SHA256:70aa723cc996ac25cf0e33914fec32545cd6013f4cab35ed1d031d26ab3508d4
Referenced In Projects/Scopes:

  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • spark:runtimeClasspath

Identifiers

  • None

spark-core_2.10-2.2.2.jar: sorttable.js

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.spark/spark-core_2.10/2.2.2/2029009854ecb422d1ba6dc8135ba9b2be2ad1/spark-core_2.10-2.2.2.jar/org/apache/spark/ui/static/sorttable.js
MD5: 8d85fe2d93f0c9e2823b9ecc00094a00
SHA1: 04cfb707c2bb77b50f3dc87ce3e78646f4765d30
SHA256:94761e7b1c4ad7423a09f334f6a2fa6e6ac2faf354ced60984a0b88f423f95f3
Referenced In Projects/Scopes:

  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • spark:runtimeClasspath

Identifiers

  • None

spark-core_2.10-2.2.2.jar: spark-dag-viz.js

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.spark/spark-core_2.10/2.2.2/2029009854ecb422d1ba6dc8135ba9b2be2ad1/spark-core_2.10-2.2.2.jar/org/apache/spark/ui/static/spark-dag-viz.js
MD5: 5bd6afd0f6a84724900815d9bca46579
SHA1: c02bc10e545436dae6b5cd3a1b59b25d614cfdc9
SHA256:8797a36ba1d907c2203ccff6315db6a5385e9c2fc259925eb2cb2dd288c86c7c
Referenced In Projects/Scopes:

  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • spark:runtimeClasspath

Identifiers

  • None

spark-core_2.10-2.2.2.jar: table.js

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.spark/spark-core_2.10/2.2.2/2029009854ecb422d1ba6dc8135ba9b2be2ad1/spark-core_2.10-2.2.2.jar/org/apache/spark/ui/static/table.js
MD5: a5898f0bcd5ec1686d1d72f47c524909
SHA1: 33a086242b5716193ce7382be92e4e25fc0c47d1
SHA256:0fd719ead123ad6eacae5373bb1ccb7fd6339ea816adcaceae822f8d578e21c6
Referenced In Projects/Scopes:

  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • spark:runtimeClasspath

Identifiers

  • None

spark-core_2.10-2.2.2.jar: timeline-view.js

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.spark/spark-core_2.10/2.2.2/2029009854ecb422d1ba6dc8135ba9b2be2ad1/spark-core_2.10-2.2.2.jar/org/apache/spark/ui/static/timeline-view.js
MD5: 8f9f8a705ff1730e615cc257cc36cd73
SHA1: f47f3bd914191f5491f2ef6a4442a7cb03568e0a
SHA256:2f887f4c95b8f2226145dab55d4ae78b2bea76c763e8aa9d93f61b0a3a8a9aac
Referenced In Projects/Scopes:

  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • spark:runtimeClasspath

Identifiers

  • None

spark-core_2.10-2.2.2.jar: utils.js

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.spark/spark-core_2.10/2.2.2/2029009854ecb422d1ba6dc8135ba9b2be2ad1/spark-core_2.10-2.2.2.jar/org/apache/spark/ui/static/utils.js
MD5: 0e92f5f593121fdaeb9bd616e5c45926
SHA1: 1c249c68df177d83dfee902a77908ecfc1ae5b1c
SHA256:5d0103d19b129c0bd2058fb36aaf6f9cd1df2ec5b56939b1048ec7732a3429e0
Referenced In Projects/Scopes:

  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • spark:runtimeClasspath

Identifiers

  • None

spark-core_2.10-2.2.2.jar: vis.min.js

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.spark/spark-core_2.10/2.2.2/2029009854ecb422d1ba6dc8135ba9b2be2ad1/spark-core_2.10-2.2.2.jar/org/apache/spark/ui/static/vis.min.js
MD5: 8f16db863f54b83e1a0a33d2b2249c79
SHA1: 15c8115cdd5e9d70183f7995aa84a8c498c5a5e6
SHA256:7b461b95eaf9aedbb6e4765a2913a75ffe086d8c5b45d12c18a96fd43c55edc4
Referenced In Projects/Scopes:

  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • spark:runtimeClasspath

Identifiers

  • None

spark-core_2.10-2.2.2.jar: webui.js

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.spark/spark-core_2.10/2.2.2/2029009854ecb422d1ba6dc8135ba9b2be2ad1/spark-core_2.10-2.2.2.jar/org/apache/spark/ui/static/webui.js
MD5: b3a978c3fe27a3b75db21c937f1de61a
SHA1: b918ea863f1b904628457f8d6ee11e0aa063e406
SHA256:32eb7c5409ecfc34a7249c5b549cb842a39b7c797689f9ebb095e0adb932d68d
Referenced In Projects/Scopes:

  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • spark:runtimeClasspath

Identifiers

  • None

spark-launcher_2.10-2.2.2.jar

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.spark/spark-launcher_2.10/2.2.2/5362ba56171849ce261d8504d0a8870f369f2441/spark-launcher_2.10-2.2.2.jar
MD5: 692d3018a03e0467434728c0b25a1e17
SHA1: 5362ba56171849ce261d8504d0a8870f369f2441
SHA256:105cbd8b62d7c61194ed51aef8588d5f09e0e12e62d68c1d852caf9255149b75
Referenced In Projects/Scopes:

  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • spark:runtimeClasspath

Identifiers

CVE-2018-11760  

When using PySpark , it's possible for a different local user to connect to the Spark application and impersonate the user running the Spark application. This affects versions 1.x, 2.0.x, 2.1.x, 2.2.0 to 2.2.2, and 2.3.0 to 2.3.1.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: LOW (2.1)
  • Vector: /AV:L/AC:L/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (5.5)
  • Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2018-11770  

From version 1.3.0 onward, Apache Spark's standalone master exposes a REST API for job submission, in addition to the submission mechanism used by spark-submit. In standalone, the config property 'spark.authenticate.secret' establishes a shared secret for authenticating requests to submit jobs via spark-submit. However, the REST API does not use this or any other authentication mechanism, and this is not adequately documented. In this case, a user would be able to run a driver program without authenticating, but not launch executors, using the REST API. This REST API is also used by Mesos, when set up to run in cluster mode (i.e., when also running MesosClusterDispatcher), for job submission. Future versions of Spark will improve documentation on these points, and prohibit setting 'spark.authenticate.secret' when running the REST APIs, to make this clear. Future versions will also disable the REST API by default in the standalone master by changing the default value of 'spark.master.rest.enabled' to 'false'.
CWE-287 Improper Authentication

CVSSv2:
  • Base Score: MEDIUM (4.9)
  • Vector: /AV:N/AC:M/Au:S/C:P/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (4.2)
  • Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N

References:

Vulnerable Software & Versions:

CVE-2018-11804  

Spark's Apache Maven-based build includes a convenience script, 'build/mvn', that downloads and runs a zinc server to speed up compilation. It has been included in release branches since 1.3.x, up to and including master. This server will accept connections from external hosts by default. A specially-crafted request to the zinc server could cause it to reveal information in files readable to the developer account running the build. Note that this issue does not affect end users of Spark, only developers building Spark from source code.
CWE-20 Improper Input Validation

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions:

CVE-2018-17190  

In all versions of Apache Spark, its standalone resource manager accepts code to execute on a 'master' host, that then runs that code on 'worker' hosts. The master itself does not, by design, execute user code. A specially-crafted request to the master can, however, cause the master to execute code too. Note that this does not affect standalone clusters with authentication enabled. While the master host typically has less outbound access to other resources than a worker, the execution of code on the master is nevertheless unexpected.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions:

CVE-2019-10099  

Prior to Spark 2.3.3, in certain situations Spark would write user data to local disk unencrypted, even if spark.io.encryption.enabled=true. This includes cached blocks that are fetched to disk (controlled by spark.maxRemoteBlockSizeFetchToMem); in SparkR, using parallelize; in Pyspark, using broadcast and parallelize; and use of python udfs.
CWE-310 Cryptographic Issues

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2020-9480  

In Apache Spark 2.4.5 and earlier, a standalone resource manager's master may be configured to require authentication (spark.authenticate) via a shared secret. When enabled, however, a specially-crafted RPC to the master can succeed in starting an application's resources on the Spark cluster, even without the shared key. This can be leveraged to execute shell commands on the host machine. This does not affect Spark clusters using other resource managers (YARN, Mesos, etc).
CWE-287 Improper Authentication

CVSSv2:
  • Base Score: HIGH (9.3)
  • Vector: /AV:N/AC:M/Au:N/C:C/I:C/A:C
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions:

spark-network-common_2.10-2.2.2.jar

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.spark/spark-network-common_2.10/2.2.2/21c00bf2f87048dcb6b128c7a5c8ea18e9582333/spark-network-common_2.10-2.2.2.jar
MD5: 46a327ba516a170b8ca37484b8b00fb2
SHA1: 21c00bf2f87048dcb6b128c7a5c8ea18e9582333
SHA256:4a62f40962c62782c10a11570ea228a661386aa8c29df438880b90fa17707964
Referenced In Projects/Scopes:

  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • spark:runtimeClasspath

Identifiers

CVE-2018-11760  

When using PySpark , it's possible for a different local user to connect to the Spark application and impersonate the user running the Spark application. This affects versions 1.x, 2.0.x, 2.1.x, 2.2.0 to 2.2.2, and 2.3.0 to 2.3.1.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: LOW (2.1)
  • Vector: /AV:L/AC:L/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (5.5)
  • Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2018-11770  

From version 1.3.0 onward, Apache Spark's standalone master exposes a REST API for job submission, in addition to the submission mechanism used by spark-submit. In standalone, the config property 'spark.authenticate.secret' establishes a shared secret for authenticating requests to submit jobs via spark-submit. However, the REST API does not use this or any other authentication mechanism, and this is not adequately documented. In this case, a user would be able to run a driver program without authenticating, but not launch executors, using the REST API. This REST API is also used by Mesos, when set up to run in cluster mode (i.e., when also running MesosClusterDispatcher), for job submission. Future versions of Spark will improve documentation on these points, and prohibit setting 'spark.authenticate.secret' when running the REST APIs, to make this clear. Future versions will also disable the REST API by default in the standalone master by changing the default value of 'spark.master.rest.enabled' to 'false'.
CWE-287 Improper Authentication

CVSSv2:
  • Base Score: MEDIUM (4.9)
  • Vector: /AV:N/AC:M/Au:S/C:P/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (4.2)
  • Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N

References:

Vulnerable Software & Versions:

CVE-2018-11804  

Spark's Apache Maven-based build includes a convenience script, 'build/mvn', that downloads and runs a zinc server to speed up compilation. It has been included in release branches since 1.3.x, up to and including master. This server will accept connections from external hosts by default. A specially-crafted request to the zinc server could cause it to reveal information in files readable to the developer account running the build. Note that this issue does not affect end users of Spark, only developers building Spark from source code.
CWE-20 Improper Input Validation

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions:

CVE-2018-17190  

In all versions of Apache Spark, its standalone resource manager accepts code to execute on a 'master' host, that then runs that code on 'worker' hosts. The master itself does not, by design, execute user code. A specially-crafted request to the master can, however, cause the master to execute code too. Note that this does not affect standalone clusters with authentication enabled. While the master host typically has less outbound access to other resources than a worker, the execution of code on the master is nevertheless unexpected.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions:

CVE-2019-10099  

Prior to Spark 2.3.3, in certain situations Spark would write user data to local disk unencrypted, even if spark.io.encryption.enabled=true. This includes cached blocks that are fetched to disk (controlled by spark.maxRemoteBlockSizeFetchToMem); in SparkR, using parallelize; in Pyspark, using broadcast and parallelize; and use of python udfs.
CWE-310 Cryptographic Issues

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2020-9480  

In Apache Spark 2.4.5 and earlier, a standalone resource manager's master may be configured to require authentication (spark.authenticate) via a shared secret. When enabled, however, a specially-crafted RPC to the master can succeed in starting an application's resources on the Spark cluster, even without the shared key. This can be leveraged to execute shell commands on the host machine. This does not affect Spark clusters using other resource managers (YARN, Mesos, etc).
CWE-287 Improper Authentication

CVSSv2:
  • Base Score: HIGH (9.3)
  • Vector: /AV:N/AC:M/Au:N/C:C/I:C/A:C
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions:

spark-network-common_2.10-2.2.2.jar (shaded: com.google.guava:guava:14.0.1)

Description:

    Guava is a suite of core and expanded libraries that include
    utility classes, google's collections, io classes, and much
    much more.

    Guava has two code dependencies - javax.annotation
    per the JSR-305 spec and javax.inject per the JSR-330 spec.
  

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.spark/spark-network-common_2.10/2.2.2/21c00bf2f87048dcb6b128c7a5c8ea18e9582333/spark-network-common_2.10-2.2.2.jar/META-INF/maven/com.google.guava/guava/pom.xml
MD5: b9406eec5781ea391a26972c394bf129
SHA1: 7b4c8f117c11a8f1fcaf4f1b0fd07cbe756a1430
SHA256:3dd4a992d53eb524a1c6546a24b853b332b26520755e26b25d38100131424b7b
Referenced In Projects/Scopes:

  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • spark:runtimeClasspath

Identifiers

CVE-2018-10237  

Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable.
CWE-770 Allocation of Resources Without Limits or Throttling

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: MEDIUM (5.9)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2020-8908  

A temp directory creation vulnerability exists in all versions of Guava, allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava API com.google.common.io.Files.createTempDir(). By default, on unix-like systems, the created directory is world-readable (readable by an attacker with access to the system). The method in question has been marked @Deprecated in versions 30.0 and later and should not be used. For Android developers, we recommend choosing a temporary directory API provided by Android, such as context.getCacheDir(). For other Java developers, we recommend migrating to the Java 7 API java.nio.file.Files.createTempDirectory() which explicitly configures permissions of 700, or configuring the Java runtime's java.io.tmpdir system property to point to a location whose permissions are appropriately configured.
CWE-732 Incorrect Permission Assignment for Critical Resource

CVSSv2:
  • Base Score: LOW (2.1)
  • Vector: /AV:L/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: LOW (3.3)
  • Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

spark-network-shuffle_2.10-2.2.2.jar

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.spark/spark-network-shuffle_2.10/2.2.2/150b7893eec6f82a3900590c529f7b2a6e5d50f5/spark-network-shuffle_2.10-2.2.2.jar
MD5: 8dd59d468492eef90575a4fb2717ada6
SHA1: 150b7893eec6f82a3900590c529f7b2a6e5d50f5
SHA256:94b3d80767a0f5dc06056bb1bce9824ca5478fcdf736f43ec7f8e86afdc1cda2
Referenced In Projects/Scopes:

  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • spark:runtimeClasspath

Identifiers

CVE-2018-11760  

When using PySpark , it's possible for a different local user to connect to the Spark application and impersonate the user running the Spark application. This affects versions 1.x, 2.0.x, 2.1.x, 2.2.0 to 2.2.2, and 2.3.0 to 2.3.1.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: LOW (2.1)
  • Vector: /AV:L/AC:L/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (5.5)
  • Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2018-11770  

From version 1.3.0 onward, Apache Spark's standalone master exposes a REST API for job submission, in addition to the submission mechanism used by spark-submit. In standalone, the config property 'spark.authenticate.secret' establishes a shared secret for authenticating requests to submit jobs via spark-submit. However, the REST API does not use this or any other authentication mechanism, and this is not adequately documented. In this case, a user would be able to run a driver program without authenticating, but not launch executors, using the REST API. This REST API is also used by Mesos, when set up to run in cluster mode (i.e., when also running MesosClusterDispatcher), for job submission. Future versions of Spark will improve documentation on these points, and prohibit setting 'spark.authenticate.secret' when running the REST APIs, to make this clear. Future versions will also disable the REST API by default in the standalone master by changing the default value of 'spark.master.rest.enabled' to 'false'.
CWE-287 Improper Authentication

CVSSv2:
  • Base Score: MEDIUM (4.9)
  • Vector: /AV:N/AC:M/Au:S/C:P/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (4.2)
  • Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N

References:

Vulnerable Software & Versions:

CVE-2018-11804  

Spark's Apache Maven-based build includes a convenience script, 'build/mvn', that downloads and runs a zinc server to speed up compilation. It has been included in release branches since 1.3.x, up to and including master. This server will accept connections from external hosts by default. A specially-crafted request to the zinc server could cause it to reveal information in files readable to the developer account running the build. Note that this issue does not affect end users of Spark, only developers building Spark from source code.
CWE-20 Improper Input Validation

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions:

CVE-2018-17190  

In all versions of Apache Spark, its standalone resource manager accepts code to execute on a 'master' host, that then runs that code on 'worker' hosts. The master itself does not, by design, execute user code. A specially-crafted request to the master can, however, cause the master to execute code too. Note that this does not affect standalone clusters with authentication enabled. While the master host typically has less outbound access to other resources than a worker, the execution of code on the master is nevertheless unexpected.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions:

CVE-2019-10099  

Prior to Spark 2.3.3, in certain situations Spark would write user data to local disk unencrypted, even if spark.io.encryption.enabled=true. This includes cached blocks that are fetched to disk (controlled by spark.maxRemoteBlockSizeFetchToMem); in SparkR, using parallelize; in Pyspark, using broadcast and parallelize; and use of python udfs.
CWE-310 Cryptographic Issues

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2020-9480  

In Apache Spark 2.4.5 and earlier, a standalone resource manager's master may be configured to require authentication (spark.authenticate) via a shared secret. When enabled, however, a specially-crafted RPC to the master can succeed in starting an application's resources on the Spark cluster, even without the shared key. This can be leveraged to execute shell commands on the host machine. This does not affect Spark clusters using other resource managers (YARN, Mesos, etc).
CWE-287 Improper Authentication

CVSSv2:
  • Base Score: HIGH (9.3)
  • Vector: /AV:N/AC:M/Au:N/C:C/I:C/A:C
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions:

spark-tags_2.10-2.2.2.jar

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.spark/spark-tags_2.10/2.2.2/4df319abe6fcff45bed83a43877c7bdb032e5ee0/spark-tags_2.10-2.2.2.jar
MD5: 1a761e9070979d7ffb914c95636af725
SHA1: 4df319abe6fcff45bed83a43877c7bdb032e5ee0
SHA256:ea47eeb2c107a63a29ec234a746b5d5f8be8c2433a396a8d5c3c3a1d5618823a
Referenced In Projects/Scopes:

  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • spark:runtimeClasspath

Identifiers

CVE-2018-11760  

When using PySpark , it's possible for a different local user to connect to the Spark application and impersonate the user running the Spark application. This affects versions 1.x, 2.0.x, 2.1.x, 2.2.0 to 2.2.2, and 2.3.0 to 2.3.1.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: LOW (2.1)
  • Vector: /AV:L/AC:L/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (5.5)
  • Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2018-11770  

From version 1.3.0 onward, Apache Spark's standalone master exposes a REST API for job submission, in addition to the submission mechanism used by spark-submit. In standalone, the config property 'spark.authenticate.secret' establishes a shared secret for authenticating requests to submit jobs via spark-submit. However, the REST API does not use this or any other authentication mechanism, and this is not adequately documented. In this case, a user would be able to run a driver program without authenticating, but not launch executors, using the REST API. This REST API is also used by Mesos, when set up to run in cluster mode (i.e., when also running MesosClusterDispatcher), for job submission. Future versions of Spark will improve documentation on these points, and prohibit setting 'spark.authenticate.secret' when running the REST APIs, to make this clear. Future versions will also disable the REST API by default in the standalone master by changing the default value of 'spark.master.rest.enabled' to 'false'.
CWE-287 Improper Authentication

CVSSv2:
  • Base Score: MEDIUM (4.9)
  • Vector: /AV:N/AC:M/Au:S/C:P/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (4.2)
  • Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N

References:

Vulnerable Software & Versions:

CVE-2018-11804  

Spark's Apache Maven-based build includes a convenience script, 'build/mvn', that downloads and runs a zinc server to speed up compilation. It has been included in release branches since 1.3.x, up to and including master. This server will accept connections from external hosts by default. A specially-crafted request to the zinc server could cause it to reveal information in files readable to the developer account running the build. Note that this issue does not affect end users of Spark, only developers building Spark from source code.
CWE-20 Improper Input Validation

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions:

CVE-2018-17190  

In all versions of Apache Spark, its standalone resource manager accepts code to execute on a 'master' host, that then runs that code on 'worker' hosts. The master itself does not, by design, execute user code. A specially-crafted request to the master can, however, cause the master to execute code too. Note that this does not affect standalone clusters with authentication enabled. While the master host typically has less outbound access to other resources than a worker, the execution of code on the master is nevertheless unexpected.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions:

CVE-2019-10099  

Prior to Spark 2.3.3, in certain situations Spark would write user data to local disk unencrypted, even if spark.io.encryption.enabled=true. This includes cached blocks that are fetched to disk (controlled by spark.maxRemoteBlockSizeFetchToMem); in SparkR, using parallelize; in Pyspark, using broadcast and parallelize; and use of python udfs.
CWE-310 Cryptographic Issues

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2020-9480  

In Apache Spark 2.4.5 and earlier, a standalone resource manager's master may be configured to require authentication (spark.authenticate) via a shared secret. When enabled, however, a specially-crafted RPC to the master can succeed in starting an application's resources on the Spark cluster, even without the shared key. This can be leveraged to execute shell commands on the host machine. This does not affect Spark clusters using other resource managers (YARN, Mesos, etc).
CWE-287 Improper Authentication

CVSSv2:
  • Base Score: HIGH (9.3)
  • Vector: /AV:N/AC:M/Au:N/C:C/I:C/A:C
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions:

spark-unsafe_2.10-2.2.2.jar

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.spark/spark-unsafe_2.10/2.2.2/e1eea755909a18bc15b6c49321e5ad9b66a4e6ee/spark-unsafe_2.10-2.2.2.jar
MD5: 0abfa8a25b8b7909d44d188dc135763a
SHA1: e1eea755909a18bc15b6c49321e5ad9b66a4e6ee
SHA256:c75c6ddb3efaeec5055032d8862ebb139ee18091447336b0cacb959211b73772
Referenced In Projects/Scopes:

  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • spark:runtimeClasspath

Identifiers

CVE-2018-11760  

When using PySpark , it's possible for a different local user to connect to the Spark application and impersonate the user running the Spark application. This affects versions 1.x, 2.0.x, 2.1.x, 2.2.0 to 2.2.2, and 2.3.0 to 2.3.1.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: LOW (2.1)
  • Vector: /AV:L/AC:L/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (5.5)
  • Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2018-11770  

From version 1.3.0 onward, Apache Spark's standalone master exposes a REST API for job submission, in addition to the submission mechanism used by spark-submit. In standalone, the config property 'spark.authenticate.secret' establishes a shared secret for authenticating requests to submit jobs via spark-submit. However, the REST API does not use this or any other authentication mechanism, and this is not adequately documented. In this case, a user would be able to run a driver program without authenticating, but not launch executors, using the REST API. This REST API is also used by Mesos, when set up to run in cluster mode (i.e., when also running MesosClusterDispatcher), for job submission. Future versions of Spark will improve documentation on these points, and prohibit setting 'spark.authenticate.secret' when running the REST APIs, to make this clear. Future versions will also disable the REST API by default in the standalone master by changing the default value of 'spark.master.rest.enabled' to 'false'.
CWE-287 Improper Authentication

CVSSv2:
  • Base Score: MEDIUM (4.9)
  • Vector: /AV:N/AC:M/Au:S/C:P/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (4.2)
  • Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N

References:

Vulnerable Software & Versions:

CVE-2018-11804  

Spark's Apache Maven-based build includes a convenience script, 'build/mvn', that downloads and runs a zinc server to speed up compilation. It has been included in release branches since 1.3.x, up to and including master. This server will accept connections from external hosts by default. A specially-crafted request to the zinc server could cause it to reveal information in files readable to the developer account running the build. Note that this issue does not affect end users of Spark, only developers building Spark from source code.
CWE-20 Improper Input Validation

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions:

CVE-2018-17190  

In all versions of Apache Spark, its standalone resource manager accepts code to execute on a 'master' host, that then runs that code on 'worker' hosts. The master itself does not, by design, execute user code. A specially-crafted request to the master can, however, cause the master to execute code too. Note that this does not affect standalone clusters with authentication enabled. While the master host typically has less outbound access to other resources than a worker, the execution of code on the master is nevertheless unexpected.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions:

CVE-2019-10099  

Prior to Spark 2.3.3, in certain situations Spark would write user data to local disk unencrypted, even if spark.io.encryption.enabled=true. This includes cached blocks that are fetched to disk (controlled by spark.maxRemoteBlockSizeFetchToMem); in SparkR, using parallelize; in Pyspark, using broadcast and parallelize; and use of python udfs.
CWE-310 Cryptographic Issues

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2020-9480  

In Apache Spark 2.4.5 and earlier, a standalone resource manager's master may be configured to require authentication (spark.authenticate) via a shared secret. When enabled, however, a specially-crafted RPC to the master can succeed in starting an application's resources on the Spark cluster, even without the shared key. This can be leveraged to execute shell commands on the host machine. This does not affect Spark clusters using other resource managers (YARN, Mesos, etc).
CWE-287 Improper Authentication

CVSSv2:
  • Base Score: HIGH (9.3)
  • Vector: /AV:N/AC:M/Au:N/C:C/I:C/A:C
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions:

spring-aop-4.3.23.RELEASE.jar

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.springframework/spring-aop/4.3.23.RELEASE/f49489bf0774db690f85588cab86d943069704bd/spring-aop-4.3.23.RELEASE.jar
MD5: 60a74c8e5684240897eb7297e79ba75d
SHA1: f49489bf0774db690f85588cab86d943069704bd
SHA256:efb768361d2dc4976a889e96a076f4fe61b390dfc7e50530624d1352159f3bce
Referenced In Projects/Scopes:

  • calcite:sqllineClasspath
  • geode:default
  • geode:compileClasspath
  • geode:runtimeClasspath

Identifiers

CVE-2020-5421  

In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: LOW (3.6)
  • Vector: /AV:N/AC:H/Au:S/C:P/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

spring-beans-4.3.23.RELEASE.jar

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.springframework/spring-beans/4.3.23.RELEASE/27570e1d493f636c910191004f822e756a9df871/spring-beans-4.3.23.RELEASE.jar
MD5: 4e16d0773ff7136bb2bfc0e8fe0f817e
SHA1: 27570e1d493f636c910191004f822e756a9df871
SHA256:b7669884ddd511fde96b4b2529a467167ee07dc7124b60c40d3a8850bcdaff53
Referenced In Projects/Scopes:

  • calcite:sqllineClasspath
  • geode:default
  • geode:compileClasspath
  • geode:runtimeClasspath

Identifiers

CVE-2020-5421  

In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: LOW (3.6)
  • Vector: /AV:N/AC:H/Au:S/C:P/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

spring-context-4.3.23.RELEASE.jar

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.springframework/spring-context/4.3.23.RELEASE/337d1030cb7abeeb28618b01dab7250a90d77151/spring-context-4.3.23.RELEASE.jar
MD5: ed9191ca00726652469d6ad7ec733c79
SHA1: 337d1030cb7abeeb28618b01dab7250a90d77151
SHA256:65ef4ceb685119082e5c750e67c325ee8087d26930a594804c427b101d3b0b87
Referenced In Projects/Scopes:

  • calcite:sqllineClasspath
  • geode:default
  • geode:compileClasspath
  • geode:runtimeClasspath

Identifiers

CVE-2020-5421  

In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: LOW (3.6)
  • Vector: /AV:N/AC:H/Au:S/C:P/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

spring-core-4.3.23.RELEASE.jar

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.springframework/spring-core/4.3.23.RELEASE/1481429d44ea0deca1d8b9d6d5e948cb7f063bdb/spring-core-4.3.23.RELEASE.jar
MD5: 4092f5dbb7fe5ab537790d432ac21db1
SHA1: 1481429d44ea0deca1d8b9d6d5e948cb7f063bdb
SHA256:0eaab0b2f45c8af339a43e491fc710b2f7f9ee9979bed5e5a39a2ebd267e921e
Referenced In Projects/Scopes:

  • calcite:sqllineClasspath
  • geode:default
  • geode:compileClasspath
  • geode:runtimeClasspath

Identifiers

CVE-2020-5421  

In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: LOW (3.6)
  • Vector: /AV:N/AC:H/Au:S/C:P/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

spring-expression-4.3.23.RELEASE.jar

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.springframework/spring-expression/4.3.23.RELEASE/cebdf400b3c820220deb868a84bce627eb8ad18c/spring-expression-4.3.23.RELEASE.jar
MD5: d7ff44d171407bb960a1e89e5b0893d6
SHA1: cebdf400b3c820220deb868a84bce627eb8ad18c
SHA256:c2e144e446956b897b91b153b7a3676fe5d0bf07b407b337961fb38c83ac21b1
Referenced In Projects/Scopes:

  • calcite:sqllineClasspath
  • geode:default
  • geode:compileClasspath
  • geode:runtimeClasspath

Identifiers

CVE-2020-5421  

In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: LOW (3.6)
  • Vector: /AV:N/AC:H/Au:S/C:P/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

spring-shell-1.2.0.RELEASE.jar

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.springframework.shell/spring-shell/1.2.0.RELEASE/d94047721f292bd5334b5654e8600cef4b845049/spring-shell-1.2.0.RELEASE.jar
MD5: b9b3e0fb847f7f6de20d53e653e36d5b
SHA1: d94047721f292bd5334b5654e8600cef4b845049
SHA256:fe9f2b19a40d55fa140bb14bfd17addb6771bb074576e43496bf9b5b7427e73c
Referenced In Projects/Scopes:

  • calcite:sqllineClasspath
  • geode:default
  • geode:compileClasspath
  • geode:runtimeClasspath

Identifiers

spring-web-4.3.23.RELEASE.jar

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.springframework/spring-web/4.3.23.RELEASE/7690431d7f2175a8a825997b38d1433560d1a434/spring-web-4.3.23.RELEASE.jar
MD5: 19c712c3abef89b79e3d3a124d643ed4
SHA1: 7690431d7f2175a8a825997b38d1433560d1a434
SHA256:ee4fe2afef84e32b292b6427b7e90c5484cdc558db491ca8b33362465de7bb11
Referenced In Projects/Scopes:

  • calcite:sqllineClasspath
  • geode:default
  • geode:compileClasspath
  • geode:runtimeClasspath

Identifiers

CVE-2020-5421  

In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: LOW (3.6)
  • Vector: /AV:N/AC:H/Au:S/C:P/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

sqlline-1.11.0.jar

Description:

Shell for issuing SQL to relational databases via JDBC

License:

Modified BSD License: https://opensource.org/licenses/BSD-3-Clause
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/sqlline/sqlline/1.11.0/9b277de54dea77e861f51854ac432ade4fd18899/sqlline-1.11.0.jar
MD5: 4022ecec2ddc5f5363e19951718387a6
SHA1: 9b277de54dea77e861f51854ac432ade4fd18899
SHA256:5451b46c60132c706ce6b754754b329dc08dc0ccdc2bdd80c1c0198e0ac603e5
Referenced In Project/Scope:calcite:sqllineClasspath

Identifiers

stax-api-1.0-2.jar

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/javax.xml.stream/stax-api/1.0-2/d6337b0de8b25e53e81b922352fbea9f9f57ba0b/stax-api-1.0-2.jar
MD5: 7d18b63063580284c3f5734081fdc99f
SHA1: d6337b0de8b25e53e81b922352fbea9f9f57ba0b
SHA256:e8c70ebd76f982c9582a82ef82cf6ce14a7d58a4a4dca5cb7b7fc988c80089b7
Referenced In Projects/Scopes:

  • piglet:compileClasspath
  • piglet:runtimeClasspath
  • spark:default
  • spark:compileClasspath
  • piglet:default
  • spark:runtimeClasspath

Identifiers

stream-2.7.0.jar

Description:

A library for summarizing data in streams for which it is infeasible to store all events

License:

Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/com.clearspring.analytics/stream/2.7.0/9998f8cf87d329fef226405f8d519638cfe1431d/stream-2.7.0.jar
MD5: 02fc1abdf3c14a1d759c3ac799b54cec
SHA1: 9998f8cf87d329fef226405f8d519638cfe1431d
SHA256:eb66267be63bba45f3e9d4e143bc32906db595dbbedafb62842e7ea340796e01
Referenced In Projects/Scopes:
  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • spark:runtimeClasspath

Identifiers

stringtemplate-3.2.1.jar

Description:

StringTemplate is a java template engine for generating source code,
web pages, emails, or any other formatted text output.

StringTemplate is particularly good at multi-targeted code generators,
multiple site skins, and internationalization/localization. 

It evolved over years of effort developing jGuru.com. 

StringTemplate also generates the stringtemplate website: http://www.stringtemplate.org
and powers the ANTLR v3 code generator. Its distinguishing characteristic 
is that unlike other engines, it strictly enforces model-view separation.

Strict separation makes websites and code generators more flexible
and maintainable; it also provides an excellent defense against malicious
template authors.

There are currently about 600 StringTemplate source downloads a month.
    

License:

BSD licence: http://antlr.org/license.html
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.antlr/stringtemplate/3.2.1/59ec8083721eae215c6f3caee944c410d2be34de/stringtemplate-3.2.1.jar
MD5: b58ca53e518a92a1991eb63b61917582
SHA1: 59ec8083721eae215c6f3caee944c410d2be34de
SHA256:f66ce72e965e5301cb0f020e54d2ba6ad76feb91b3cbfc30dbbf00c06a6df6d7
Referenced In Projects/Scopes:
  • piglet:compileClasspath
  • piglet:runtimeClasspath
  • pig:runtimeClasspath
  • piglet:default
  • pig:default
  • pig:compileClasspath

Identifiers

tpcds-0.4.jar

Description:

Port of the TPC-DS data generator to Java

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/net.hydromatic/tpcds/0.4/f379d199ad056b8b374370181ff9e9581fb5e931/tpcds-0.4.jar
MD5: 194b806636dad31c70b4e9c7c7c5afcb
SHA1: f379d199ad056b8b374370181ff9e9581fb5e931
SHA256:0c5f8e6e13bd528531dcec568c72937f14165b95c4348a20055f6ea880b18dc3
Referenced In Projects/Scopes:
  • calcite:sqllineClasspath
  • plus:compileClasspath
  • plus:default
  • plus:runtimeClasspath

Identifiers

tpcds-1.2.jar

Description:

Java based generator for TPC-DS data

License:

Apache License 2.0: http://www.apache.org/licenses/LICENSE-2.0
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/com.teradata.tpcds/tpcds/1.2/1126480765c57e1636c6cfd776d560fa1c115274/tpcds-1.2.jar
MD5: d9b463cec07688427a41679dce67a609
SHA1: 1126480765c57e1636c6cfd776d560fa1c115274
SHA256:08463e70b4b0282b5fb1970bd73dd1c3b407d34b78bbb12ea4071056a507d884
Referenced In Projects/Scopes:
  • calcite:sqllineClasspath
  • plus:compileClasspath
  • plus:default
  • plus:runtimeClasspath

Identifiers

tpch-1.0.jar

Description:

Port of TPC-H dbgen to Java

License:

Apache License 2.0: http://www.apache.org/licenses/LICENSE-2.0
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/io.prestosql.tpch/tpch/1.0/ae465d43254717c3211a613c9f1fa2a3c97641df/tpch-1.0.jar
MD5: bc5537dcdaf548f1f312633a6468eb90
SHA1: ae465d43254717c3211a613c9f1fa2a3c97641df
SHA256:0f55e2ee3302ba0bf9966d65295f6fa534898aad2d9067f0c656d5a14d1ca566
Referenced In Projects/Scopes:
  • calcite:sqllineClasspath
  • plus:compileClasspath
  • plus:default
  • plus:runtimeClasspath

Identifiers

trove4j-1.0.20181211.jar

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.jetbrains.intellij.deps/trove4j/1.0.20181211/216c2e14b070f334479d800987affe4054cd563f/trove4j-1.0.20181211.jar
MD5: 5cc726d08f3d05f7a7cadd4c20c2de78
SHA1: 216c2e14b070f334479d800987affe4054cd563f
SHA256:affb7c85a3c87bdcf69ff1dbb84de11f63dc931293934bc08cd7ab18de083601
Referenced In Project/Scope:core:kotlinCompilerClasspath

Identifiers

unused-1.0.0.jar

License:

The Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.spark-project.spark/unused/1.0.0/205fe37a2fade6ce6dfcf8eff57ed21a4a1c22af/unused-1.0.0.jar
MD5: 763373ce9fe48581d4f2b8ffca35bb82
SHA1: 205fe37a2fade6ce6dfcf8eff57ed21a4a1c22af
SHA256:00fd27fc9bde701581e7dcf5b95981d9e749a1c176bb8bfcd49f675768ff6bf0
Referenced In Projects/Scopes:
  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • spark:runtimeClasspath

Identifiers

CVE-2017-7678  

In Apache Spark before 2.2.0, it is possible for an attacker to take advantage of a user's trust in the server to trick them into visiting a link that points to a shared Spark cluster and submits data including MHTML to the Spark master, or history server. This data, which could contain a script, would then be reflected back to the user and could be evaluated and executed by MS Windows-based clients. It is not an attack on Spark itself, but on the user, who may then execute the script inadvertently when viewing elements of the Spark web UIs.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions:

CVE-2018-1334  

In Apache Spark 1.0.0 to 2.1.2, 2.2.0 to 2.2.1, and 2.3.0, when using PySpark or SparkR, it's possible for a different local user to connect to the Spark application and impersonate the user running the Spark application.
CWE-200 Information Exposure

CVSSv2:
  • Base Score: LOW (1.9)
  • Vector: /AV:L/AC:M/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: MEDIUM (4.7)
  • Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2018-17190  

In all versions of Apache Spark, its standalone resource manager accepts code to execute on a 'master' host, that then runs that code on 'worker' hosts. The master itself does not, by design, execute user code. A specially-crafted request to the master can, however, cause the master to execute code too. Note that this does not affect standalone clusters with authentication enabled. While the master host typically has less outbound access to other resources than a worker, the execution of code on the master is nevertheless unexpected.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions:

CVE-2020-9480  

In Apache Spark 2.4.5 and earlier, a standalone resource manager's master may be configured to require authentication (spark.authenticate) via a shared secret. When enabled, however, a specially-crafted RPC to the master can succeed in starting an application's resources on the Spark cluster, even without the shared key. This can be leveraged to execute shell commands on the host machine. This does not affect Spark clusters using other resource managers (YARN, Mesos, etc).
CWE-287 Improper Authentication

CVSSv2:
  • Base Score: HIGH (9.3)
  • Vector: /AV:N/AC:M/Au:N/C:C/I:C/A:C
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions:

uzaygezen-core-0.2.jar

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/com.google.uzaygezen/uzaygezen-core/0.2/611b82d4c4b4f67cc3d83cf0697ec660fcee2fff/uzaygezen-core-0.2.jar
MD5: e7c07491e229b40738ba0d4be05cedca
SHA1: 611b82d4c4b4f67cc3d83cf0697ec660fcee2fff
SHA256:29aabe951d220f03b3789332f9f455ca2eba953c91ecef8aa06f76f458cedc4e
Referenced In Projects/Scopes:

  • babel:default
  • piglet:runtimeClasspath
  • spark:default
  • splunk:default
  • function:runtimeClasspath
  • kafka:default
  • redis:runtimeClasspath
  • server:runtimeClasspath
  • cassandra:runtimeClasspath
  • druid:default
  • spark:runtimeClasspath
  • core:default
  • babel:runtimeClasspath
  • elasticsearch:runtimeClasspath
  • innodb:default
  • piglet:default
  • pig:default
  • plus:runtimeClasspath
  • function:default
  • csv:default
  • core:implementationDependenciesMetadata
  • kafka:runtimeClasspath
  • splunk:runtimeClasspath
  • core:compileClasspath
  • file:runtimeClasspath
  • innodb:runtimeClasspath
  • calcite:sqllineClasspath
  • core:runtimeClasspath
  • geode:default
  • elasticsearch:default
  • druid:runtimeClasspath
  • mongodb:runtimeClasspath
  • file:default
  • server:default
  • pig:runtimeClasspath
  • mongodb:default
  • redis:default
  • geode:runtimeClasspath
  • csv:runtimeClasspath
  • plus:default
  • cassandra:default

Identifiers

validation-api-1.1.0.Final.jar

Description:

        Bean Validation API
    

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/javax.validation/validation-api/1.1.0.Final/8613ae82954779d518631e05daa73a6a954817d5/validation-api-1.1.0.Final.jar
MD5: 4c257f52462860b62ab3cdab45f53082
SHA1: 8613ae82954779d518631e05daa73a6a954817d5
SHA256:f39d7ba7253e35f5ac48081ec1bc28c5df9b32ac4b7db20853e5a8e76bf7b0ed
Referenced In Projects/Scopes:
  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • spark:runtimeClasspath

Identifiers

xalan-2.7.1.jar

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/xalan/xalan/2.7.1/75f1d83ce27bab5f29fff034fc74aa9f7266f22a/xalan-2.7.1.jar
MD5: d43aad24f2c143b675292ccfef487f9c
SHA1: 75f1d83ce27bab5f29fff034fc74aa9f7266f22a
SHA256:55a2e95144acf1abe44fea91c2948525c9b1f00fcaa1d10e753e92872ffbdd1e
Referenced In Projects/Scopes:

  • calcite:sqllineClasspath
  • spark:default
  • spark:runtimeClasspath

Identifiers

CVE-2014-0107  

The TransformerFactory in Apache Xalan-Java before 2.7.2 does not properly restrict access to certain properties when FEATURE_SECURE_PROCESSING is enabled, which allows remote attackers to bypass expected restrictions and load arbitrary classes or access external resources via a crafted (1) xalan:content-header, (2) xalan:entities, (3) xslt:content-header, or (4) xslt:entities property, or a Java property that is bound to the XSLT 1.0 system-property function.
CWE-264 Permissions, Privileges, and Access Controls

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P

References:

Vulnerable Software & Versions: (show all)

xbean-asm5-shaded-4.4.jar

Description:

Repackaged and shaded asm 5.x jars

License:

http://asm.ow2.org/license.html
http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.xbean/xbean-asm5-shaded/4.4/a413bb5a8571d4c86a47e8a0272ba7ab0d1a17f5/xbean-asm5-shaded-4.4.jar
MD5: a7f12ad12043241dd36239ff9a77dff6
SHA1: a413bb5a8571d4c86a47e8a0272ba7ab0d1a17f5
SHA256:7d41dde216615b6c08adafe16e73598cd4ebfaa090394ae692dda8094576952a
Referenced In Projects/Scopes:
  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • spark:runtimeClasspath

Identifiers

xbean-asm5-shaded-4.4.jar (shaded: org.apache.xbean:xbean-asm-util:4.4)

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.xbean/xbean-asm5-shaded/4.4/a413bb5a8571d4c86a47e8a0272ba7ab0d1a17f5/xbean-asm5-shaded-4.4.jar/META-INF/maven/org.apache.xbean/xbean-asm-util/pom.xml
MD5: 9f1e70369ed5331452bbe458628f1393
SHA1: 9419eadb931dccfdd4c068a6d4dab350428be837
SHA256:de7d6f5da2734d5b1006d5fbbdb758a52f9dfd81484b3724c547e5a4df8bfc63
Referenced In Projects/Scopes:

  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • spark:runtimeClasspath

Identifiers

xercesImpl-2.9.1.jar

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/xerces/xercesImpl/2.9.1/7bc7e49ddfe4fb5f193ed37ecc96c12292c8ceb6/xercesImpl-2.9.1.jar
MD5: f807f86d7d9db25edbfc782aca7ca2a9
SHA1: 7bc7e49ddfe4fb5f193ed37ecc96c12292c8ceb6
SHA256:6ae540a7c85c814ac64bea48016b3a6f45c95d4765f547fcc0053dc36c94ed5c
Referenced In Projects/Scopes:

  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • spark:runtimeClasspath

Identifiers

CVE-2009-2625 (OSSINDEX)  

> A denial of service flaw was found in the way the JRE processes XML. A remote attacker could use this flaw to supply crafted XML that would lead to a denial of service.
> 
> -- [redhat.com](https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-2625)
Unscored:
  • Severity: Unknown

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:xerces:xercesImpl:2.9.1:*:*:*:*:*:*:*

xml-apis-1.3.04.jar

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/xml-apis/xml-apis/1.3.04/90b215f48fe42776c8c7f6e3509ec54e84fd65ef/xml-apis-1.3.04.jar
MD5: 9ae9c29e4497fc35a3eade1e6dd0bbeb
SHA1: 90b215f48fe42776c8c7f6e3509ec54e84fd65ef
SHA256:d404aa881eb9c5f7a4fb546e84ea11506cd417a72b5972e88eff17f43f9f8a64
Referenced In Projects/Scopes:

  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • spark:runtimeClasspath

Identifiers

xml-resolver-1.2.jar

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/xml-resolver/xml-resolver/1.2/3d0f97750b3a03e0971831566067754ba4bfd68c/xml-resolver-1.2.jar
MD5: 706c533146c1f4ee46b66659ea14583a
SHA1: 3d0f97750b3a03e0971831566067754ba4bfd68c
SHA256:47dcde8986019314ef78ae7280a94973a21d2ed95075a40a000b42da956429e1
Referenced In Projects/Scopes:

  • babel:fmppClaspath
  • server:fmppClaspath
  • core:fmppClaspath

Identifiers

xmlenc-0.52.jar

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/xmlenc/xmlenc/0.52/d82554efbe65906d83b3d97bd7509289e9db561a/xmlenc-0.52.jar
MD5: c962b6bc3c8de46795b0ed94851fa9c7
SHA1: d82554efbe65906d83b3d97bd7509289e9db561a
SHA256:282ae185fc2ff27da7714af9962897c09cfefafb88072219c4a2f9c73616c026
Referenced In Projects/Scopes:

  • piglet:compileClasspath
  • piglet:runtimeClasspath
  • calcite:sqllineClasspath
  • pig:runtimeClasspath
  • spark:default
  • spark:compileClasspath
  • piglet:default
  • pig:default
  • spark:runtimeClasspath
  • pig:compileClasspath

Identifiers

xz-1.0.jar

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.tukaani/xz/1.0/ecff5cb8b1189514c9d1d8d68eb77ac372e000c9/xz-1.0.jar
MD5: 8c53d7a772f11a88ee95c6ed0c215e49
SHA1: ecff5cb8b1189514c9d1d8d68eb77ac372e000c9
SHA256:7eafdc8880da10286c2398fa42e3bf68c3e845c35ae7a6ae67f5cc1fa16c7405
Referenced In Projects/Scopes:

  • piglet:compileClasspath
  • piglet:runtimeClasspath
  • calcite:sqllineClasspath
  • pig:runtimeClasspath
  • spark:default
  • spark:compileClasspath
  • piglet:default
  • pig:default
  • spark:runtimeClasspath
  • pig:compileClasspath

Identifiers

zookeeper-3.4.6.jar

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.zookeeper/zookeeper/3.4.6/1b2502e29da1ebaade2357cd1de35a855fa3755/zookeeper-3.4.6.jar
MD5: 7d01d317c717268725896cfb81b18152
SHA1: 01b2502e29da1ebaade2357cd1de35a855fa3755
SHA256:8a375a1ef98cbc0e1f6e9dfd0d96d914b74d37ad00b4bf81beb77fa8f34d33ae
Referenced In Projects/Scopes:
  • piglet:compileClasspath
  • piglet:runtimeClasspath
  • calcite:sqllineClasspath
  • spark:default
  • spark:compileClasspath
  • piglet:default
  • spark:runtimeClasspath

Identifiers

CVE-2016-5017  

Buffer overflow in the C cli shell in Apache Zookeeper before 3.4.9 and 3.5.x before 3.5.3, when using the "cmd:" batch mode syntax, allows attackers to have unspecified impact via a long command string.
CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer

CVSSv2:
  • Base Score: MEDIUM (6.8)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSSv3:
  • Base Score: HIGH (8.1)
  • Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2017-5637  

Two four letter word commands "wchp/wchc" are CPU intensive and could cause spike of CPU utilization on Apache ZooKeeper server if abused, which leads to the server unable to serve legitimate client requests. Apache ZooKeeper thru version 3.4.9 and 3.5.2 suffer from this issue, fixed in 3.4.10, 3.5.3, and later.
CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion'), CWE-306 Missing Authentication for Critical Function

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions: (show all)

CVE-2018-8012  

No authentication/authorization is enforced when a server attempts to join a quorum in Apache ZooKeeper before 3.4.10, and 3.5.0-alpha through 3.5.3-beta. As a result an arbitrary end point could join the cluster and begin propagating counterfeit changes to the leader.
CWE-862 Missing Authorization

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2019-0201  

An issue is present in Apache ZooKeeper 1.0.0 to 3.4.13 and 3.5.0-alpha to 3.5.4-beta. ZooKeeper’s getACL() command doesn’t check any permission when retrieves the ACLs of the requested node and returns all information contained in the ACL Id field as plaintext string. DigestAuthenticationProvider overloads the Id field with the hash value that is used for user authentication. As a consequence, if Digest Authentication is in use, the unsalted hash value will be disclosed by getACL() request for unauthenticated or unprivileged users.
CWE-862 Missing Authorization

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:N
CVSSv3:
  • Base Score: MEDIUM (5.9)
  • Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2021-21409 (OSSINDEX)  

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case. This was fixed as part of 4.1.61.Final.
CVSSv3:
  • Base Score: MEDIUM (5.9)
  • Vector: CVSS:/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.apache.zookeeper:zookeeper:3.4.6:*:*:*:*:*:*:*

zstd-jni-1.3.7-1.jar

Description:

JNI bindings for Zstd native library that provides fast and high compression lossless algorithm for Java and all JVM languages.

License:

https://opensource.org/licenses/BSD-2-Clause;description=BSD 2-Clause License
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/com.github.luben/zstd-jni/1.3.7-1/7100c646bbb0acad54b7add33dab25ff4b3ba4df/zstd-jni-1.3.7-1.jar
MD5: c2a66122380a2a33df7f0ce09f593e71
SHA1: 7100c646bbb0acad54b7add33dab25ff4b3ba4df
SHA256:ebefe5b8698a57c55c64a297eaf8ba931c2cbc7df5b72de38ac1d034372b46e6
Referenced In Projects/Scopes:
  • kafka:runtimeClasspath
  • calcite:sqllineClasspath
  • kafka:compileClasspath
  • kafka:default

Identifiers

zstd-jni-1.3.7-1.jar: libzstd-jni.dll

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/com.github.luben/zstd-jni/1.3.7-1/7100c646bbb0acad54b7add33dab25ff4b3ba4df/zstd-jni-1.3.7-1.jar/win/x86/libzstd-jni.dll
MD5: d4bf33e77bec84596b9e989afa001ca1
SHA1: 9beb0abf102c3ad980036dd53b9ca227428529fc
SHA256:5defdabbc0eea3dc5348d990d56013b9a9373d574b1efb61846a76e53fe9516a
Referenced In Projects/Scopes:

  • kafka:runtimeClasspath
  • calcite:sqllineClasspath
  • kafka:compileClasspath
  • kafka:default

Identifiers

  • None

zstd-jni-1.3.7-1.jar: libzstd-jni.dll

File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/com.github.luben/zstd-jni/1.3.7-1/7100c646bbb0acad54b7add33dab25ff4b3ba4df/zstd-jni-1.3.7-1.jar/win/amd64/libzstd-jni.dll
MD5: cfd651a15ef29acf0e11dfcd41efb6e7
SHA1: 3bc54bff4dff5e1c48e367f9e3ec6c39c80fc188
SHA256:3bebcf324ee53dca1ce2bacc46924aba46196d323da79f246d92ad9f5a81b63b
Referenced In Projects/Scopes:

  • kafka:runtimeClasspath
  • calcite:sqllineClasspath
  • kafka:compileClasspath
  • kafka:default

Identifiers

  • None


This report contains data retrieved from the National Vulnerability Database.
This report may contain data retrieved from the NPM Public Advisories.
This report may contain data retrieved from RetireJS.
This report may contain data retrieved from the Sonatype OSS Index.